Bug 755455 (CVE-2011-4325)

Summary: CVE-2011-4325 kernel: nfs: diotest4 from LTP crash client null pointer deref
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agordeev, anton, arozansk, bhu, dhoward, fhrbata, jkacur, kernel-mgr, lgoncalv, lwang, plougher, pmatouse, rt-maint, security-response-team, sforsber, vgoyal, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-05-04 07:57:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 754620, 755457, 782689    
Bug Blocks: 755452    

Description Eugene Teo (Security Response) 2011-11-21 07:52:20 UTC 
diotest4 from LTP will crash client on NFS mount. Not a regression, 5.7 GA
kernel has the same issue.

Unable to handle kernel NULL pointer dereference at 0000000000000038 RIP:
 [<ffffffff887aed65>] :nfs:__put_nfs_open_context+0x7/0x93
PGD 16bba2067 PUD 14bcd1067 PMD 0
Oops: 0000 [1] SMP
last sysfs file: /devices/pci0000:00/0000:00:00.0/local_cpus
CPU 2
Modules linked in: nfs nfsd exportfs nfs_acl auth_rpcgss autofs4 hidp rfcomm
l2cap bluetooth lockd sunrpc cpufreq_ondemand acpi_cpufreq freq_table mperf
ipt_REJECT ip6t_REJECT xt_tcpudp ip6table_filter ip6_tables x_tables be2iscsi
ib_iser rdma_cm ib_cm iw_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp bnx2i cnic
ipv6 xfrm_nalgo crypto_api uio cxgb3i libcxgbi cxgb3 8021q libiscsi_tcp
libiscsi2 scsi_transport_iscsi2 scsi_transport_iscsi dm_mirror dm_multipath
scsi_dh video backlight sbs power_meter hwmon i2c_ec dell_wmi wmi button
battery asus_acpi acpi_memhotplug ac parport_pc lp parport joydev i2c_i801
i2c_core ide_cd cdc_ether i7core_edac cdrom usbnet edac_mc tpm_tis tpm tpm_bios
bnx2 sg pcspkr dm_raid45 dm_message dm_region_hash dm_log dm_mod dm_mem_cache
ata_piix libata shpchp megaraid_sas sd_mod scsi_mod ext3 jbd uhci_hcd ohci_hcd
ehci_hcd
Pid: 4577, comm: diotest4 Not tainted 2.6.18-296.el5 #1
RIP: 0010:[<ffffffff887aed65>]  [<ffffffff887aed65>]
:nfs:__put_nfs_open_context+0x7/0x93
RSP: 0018:ffff810153cc1d28  EFLAGS: 00010246
RAX: ffff81014df95b10 RBX: ffff81014df95840 RCX: ffff81017fe5e608
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff81014df95840 R08: ffff81014df95840 R09: 0000000000000000
R10: ffff81014df95840 R11: 0000000000000310 R12: 0000000000000000
R13: 0000000000001000 R14: ffff81014aff9218 R15: ffff81014ced68c0
FS:  00002b51e08b3af0(0000) GS:ffff810105524ec0(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000038 CR3: 000000014a8fb000 CR4: 00000000000006a0
Process diotest4 (pid: 4577, threadinfo ffff810153cc0000, task
ffff81017fc877a0)
Stack:  ffff81014df95840 ffff81014df95840 ffff81014ced6898 ffffffff887b4459
 fffffffffffffff4 ffffffff887ccca6 ffff810153cc1e68 0000000000001000
 ffff810153cc1e08 ffff81014a335a00 0000000000001000 0000000000008000
Call Trace:
 [<ffffffff887b4459>] :nfs:nfs_readdata_release+0x10/0x16
 [<ffffffff887ccca6>] :nfs:nfs_file_direct_read+0x1b8/0x52f
 [<ffffffff8000cf47>] do_sync_read+0xc7/0x104
 [<ffffffff887aef81>] :nfs:nfs_open+0x10b/0x125
 [<ffffffff800a3346>] autoremove_wake_function+0x0/0x2e
 [<ffffffff8000b72f>] vfs_read+0xcb/0x171
 [<ffffffff80011d15>] sys_read+0x45/0x6e
 [<ffffffff8005d28d>] tracesys+0xd5/0xe0


Code: 48 8b 47 38 48 89 fb 48 8b 68 10 48 8d b5 b4 00 00 00 e8 c9
RIP  [<ffffffff887aed65>] :nfs:__put_nfs_open_context+0x7/0x93
 RSP <ffff810153cc1d28>
CR2: 0000000000000038
 <0>Kernel panic - not syncing: Fatal exception
Comment 2 Eugene Teo (Security Response) 2011-11-22 02:01:00 UTC 
Upstream commit:
http://git.kernel.org/linus/1ae88b2e4 (v2.6.31-rc6)
Comment 3 Petr Matousek 2012-01-10 19:01:15 UTC 
Statement:

This issue did not affect the version of the Linux kernel as shipped with Red
Hat Enterprise Linux 4, 6 and Red Hat Enterprise MRG. This has been addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2012-0007.html.
Comment 4 errata-xmlrpc 2012-01-10 20:09:56 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:0007 https://rhn.redhat.com/errata/RHSA-2012-0007.html
Comment 5 Eugene Teo (Security Response) 2012-01-18 07:15:34 UTC 
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 782689]