Bug 757143 (CVE-2011-4348)

Summary: CVE-2011-4348 kernel: incomplete fix for CVE-2011-2482
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: agordeev, anton, arozansk, dhoward, fhrbata, jrusnack, kernel-mgr, lwang, plougher, rcvalle, rnelson, security-response-team, sforsber, vgoyal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-05-10 08:10:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 757146    
Bug Blocks: 731905    

Description Petr Matousek 2011-11-25 15:14:02 UTC 
When testing [CVE-2011-2482] with SELinux disabled (haven't triggered panic on
patched kernel with selinux on), the reproducer run after regular user causes
soft lookups and the machine becomes completely unresponsive on patched kernel.
Target machine was unresponsive after remote part of reproducer (con) killed.
Target with patched kernel needed to be rebooted to start working regularly. 

[root@intel-mahobay-01 ~]# setenforce 0
[test@intel-mahobay-01 ~]$ uname -r
2.6.18-238.30.1.el5
[test@intel-mahobay-01 ~]$ for i in 3333 3334 3335 3336; do
> ./acc -a 1 -p $i -K -k 10000 -K -F 1 -R -U -W & done
[test@intel-mahobay-01 ~]$ BUG: soft lockup - CPU#2 stuck for 60s! [acc:5861]
CPU 2:
Modules linked in: md5 sctp autofs4 hidp rfcomm l2cap bluetooth lockd sunrpc
cpufreq_ondemand acpi_cpufreq freq_table mperf be2iscsi ib_iser rdma_cm ib_cm
iw_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp bnx2i cnic ipv6 xfrm_nalgo
crypto_api uio cxgb3i cxgb3 libiscsi_tcp libiscsi2 scsi_transport_iscsi2
scsi_transport_iscsi loop dm_multipath scsi_dh video backlight sbs power_meter
hwmon i2c_ec i2c_core dell_wmi wmi button battery asus_acpi acpi_memhotplug ac
lp sr_mod cdrom parport_serial sg e1000e parport_pc shpchp igb parport 8021q
tpm_tis dca tpm pcspkr tpm_bios dm_raid45 dm_message dm_region_hash
dm_mem_cache dm_snapshot dm_zero dm_mirror dm_log dm_mod ahci libata sd_mod
scsi_mod ext3 jbd uhci_hcd ohci_hcd ehci_hcd
Pid: 5861, comm: acc Not tainted 2.6.18-238.30.1.el5 #1
RIP: 0010:[<ffffffff80064be3>]  [<ffffffff80064be3>]
.text.lock.spinlock+0x29/0x30
RSP: 0018:ffff810139751dc8  EFLAGS: 00000282
RAX: ffff810139751fd8 RBX: 0000000000000000 RCX: ffff81013a7660d0
RDX: ffff81014daa38d0 RSI: ffff81014daa38d0 RDI: ffff810139dd89c0
RBP: ffff810139e82e00 R08: ffff810146e56700 R09: 0000000000000000
R10: ffff810139751b68 R11: ffff81013a352000 R12: 0000000000000292
R13: ffff81014daa38a8 R14: ffffffff88671ba7 R15: 0000000000000296
FS:  00002aaed65086e0(0000) GS:ffff81014e4ffe40(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00007fff136a7c40 CR3: 000000013a3a6000 CR4: 00000000000006e0

Call Trace:
 [<ffffffff80064ae9>] _spin_lock_bh+0x9/0x14
 [<ffffffff80030fe6>] release_sock+0x13/0xc1
 [<ffffffff8867f048>] :sctp:sctp_accept+0x1b7/0x1d0
 [<ffffffff800a2884>] autoremove_wake_function+0x0/0x2e
 [<ffffffff8026822a>] inet_accept+0x25/0xcb
 [<ffffffff8022b938>] sys_accept+0x11c/0x1ea
 [<ffffffff80030fe6>] release_sock+0x13/0xc1
 [<ffffffff8022d9cb>] sock_setsockopt+0x4d3/0x4e5
 [<ffffffff800b95d4>] audit_syscall_entry+0x1a4/0x1cf
 [<ffffffff8005d28d>] tracesys+0xd5/0xe0

BUG: soft lockup - CPU#7 stuck for 60s! [ksoftirqd/7:24]
CPU 7:
Modules linked in: md5 sctp autofs4 hidp rfcomm l2cap bluetooth lockd sunrpc
cpufreq_ondemand acpi_cpufreq freq_table mperf be2iscsi ib_iser rdma_cm ib_cm
iw_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp bnx2i cnic ipv6 xfrm_nalgo
crypto_api uio cxgb3i cxgb3 libiscsi_tcp libiscsi2 scsi_transport_iscsi2
scsi_transport_iscsi loop dm_multipath scsi_dh video backlight sbs power_meter
hwmon i2c_ec i2c_core dell_wmi wmi button battery asus_acpi acpi_memhotplug ac
lp sr_mod cdrom parport_serial sg e1000e parport_pc shpchp igb parport 8021q
tpm_tis dca tpm pcspkr tpm_bios dm_raid45 dm_message dm_region_hash
dm_mem_cache dm_snapshot dm_zero dm_mirror dm_log dm_mod ahci libata sd_mod
scsi_mod ext3 jbd uhci_hcd ohci_hcd ehci_hcd
Pid: 24, comm: ksoftirqd/7 Not tainted 2.6.18-238.30.1.el5 #1
RIP: 0010:[<ffffffff80064bbf>]  [<ffffffff80064bbf>]
.text.lock.spinlock+0x5/0x30
RSP: 0018:ffff810104a6fcb0  EFLAGS: 00000282
RAX: 0000000000000000 RBX: ffff81014717c480 RCX: 0000000000000000
RDX: ffff810139e05d60 RSI: ffff810104a6fd14 RDI: ffff810139dd89c0
RBP: ffff810104a6fc30 R08: ffff810139e05cc0 R09: 0000000000000000
R10: ffff810139e05cc0 R11: 00000000000000f8 R12: ffffffff8005dc8e
R13: ffff810139e05cc0 R14: ffffffff80078f1d R15: ffff810104a6fc30
FS:  0000000000000000(0000) GS:ffff81014e59e340(0000) knlGS:0000000000000000
CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
CR2: 00007fff136a7c34 CR3: 0000000000201000 CR4: 00000000000006e0

Call Trace:
 <IRQ>  [<ffffffff8868093c>] :sctp:sctp_rcv+0x61e/0x7ba
 [<ffffffff8008f355>] scheduler_tick+0xc3/0x35f
 [<ffffffff80034b1e>] ip_local_deliver+0x19d/0x263
 [<ffffffff80035c7a>] ip_rcv+0x539/0x57c
 [<ffffffff80020bdc>] netif_receive_skb+0x470/0x49f
 [<ffffffff8823ebfb>] :e1000e:e1000_receive_skb+0x1b5/0x1d6
 [<ffffffff8824390d>] :e1000e:e1000_clean_rx_irq+0x271/0x318
 [<ffffffff88241abc>] :e1000e:e1000_clean+0x7c/0x29b
 [<ffffffff8000ca35>] net_rx_action+0xac/0x1b3
 [<ffffffff80012537>] __do_softirq+0x89/0x133
 [<ffffffff8005e2fc>] call_softirq+0x1c/0x28
 <EOI>  [<ffffffff80096395>] ksoftirqd+0x0/0xbf
 [<ffffffff8006d5f5>] do_softirq+0x2c/0x7d
 [<ffffffff800963f4>] ksoftirqd+0x5f/0xbf
 [<ffffffff80032b28>] kthread+0xfe/0x132
 [<ffffffff8005dfb1>] child_rip+0xa/0x11
 [<ffffffff80032a2a>] kthread+0x0/0x132
 [<ffffffff8005dfa7>] child_rip+0x0/0x11
Comment 3 Vincent Danen 2012-01-10 18:26:08 UTC 
Statement:

This issue did not affect the version of the Linux kernel as shipped with Red Hat Enterprise Linux 4, 6 and Red Hat Enterprise MRG as they were not vulnerable to CVE-2011-2482. This has been addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2012-0007.html.
Comment 4 errata-xmlrpc 2012-01-10 20:10:13 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:0007 https://rhn.redhat.com/errata/RHSA-2012-0007.html
Comment 5 Eugene Teo (Security Response) 2012-03-05 02:16:15 UTC 
Upstream commit:
http://git.kernel.org/linus/ae53b5bd77719fed58086c5be60ce4f22bffe1c6