Bug 716538 (CVE-2011-2496)

Summary: CVE-2011-2496 kernel: mm: avoid wrapping vm_pgoff in mremap() and stack expansions
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anton, arozansk, bhu, davej, dhoward, fhrbata, jkacur, kernel-mgr, kmcmartin, lgoncalv, lwang, marcio, plougher, rt-maint, sforsber, tcallawa, vdanen, vgoyal, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-06 02:11:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 716540, 716541, 716543, 716544, 716545    
Bug Blocks:    

Description Petr Matousek 2011-06-24 20:10:35 UTC 
The normal mmap paths all avoid creating a mapping where the pgoff inside the mapping could wrap around due to overflow.  However, an expanding mremap() can take such a non-wrapping mapping and make it bigger and cause a wrapping condition. There is also another case where we expand mappings hiding in plain sight: the automatic stack expansion.

The wrapping condition can cause a BUG_ON() due to terminally confusing the vma_prio_tree code.

Upstream patches:
982134ba62618c2d69fbbbd166d0a11ee3b7e3d8 mremap
a626ca6a656450e9f4df91d0dda238fff23285f4 stack expansion downwards
42c36f63ac1366ab0ecc2d5717821362c259f517 stack expansion upwards

References:
http://www.spinics.net/lists/stable-commits/msg11385.html
http://www.spinics.net/lists/linux-mm/msg17093.html
http://groups.google.com/group/fa.linux.kernel/msg/9e43ab898c5e6d16

Acknowledgements:                                                               

Red Hat would like to thank Robert Swiecki for reporting this issue.
Comment 3 Petr Matousek 2011-06-24 20:27:40 UTC 
*** Bug 713614 has been marked as a duplicate of this bug. ***
Comment 6 Vincent Danen 2011-06-27 23:08:20 UTC 
This was assigned the name CVE-2011-2496:

http://seclists.org/oss-sec/2011/q2/689
Comment 10 errata-xmlrpc 2011-09-12 19:45:46 UTC 
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2011:1253 https://rhn.redhat.com/errata/RHSA-2011-1253.html
Comment 11 errata-xmlrpc 2011-10-05 21:47:49 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:1350 https://rhn.redhat.com/errata/RHSA-2011-1350.html
Comment 12 errata-xmlrpc 2011-10-20 17:28:50 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1386 https://rhn.redhat.com/errata/RHSA-2011-1386.html