Bug 794557 (CVE-2012-0810)

Summary: CVE-2012-0810 kernel-rt: stack corruption when task gets scheduled out using the debug stack
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agordeev, anton, arozansk, bhu, davids, dhoward, fhrbata, jkacur, kernel-mgr, L.Bonnaud, lgoncalv, lwang, plougher, pmatouse, rt-maint, security-response-team, sforsber, srostedt, vgoyal, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-05-10 15:23:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 784358    
Bug Blocks: 784680    

Description Eugene Teo (Security Response) 2012-02-17 05:16:55 UTC 
The issue is that the int3 handler uses a per CPU debug stack, and calls do_traps() with interrupts enabled but preemption disabled. Then a signal is sent to the current process, and the code that handles the signal grabs a spinlock. This spinlock becomes a mutex (sleeping lock) when CONFIG_PREEMPT_RT_FULL is enabled.

If there is contention on this lock then the task may schedule out. As the task is using a per CPU stack, and another task may come in and use the same stack, the stack can become corrupted and cause the kernel to panic.
Comment 4 Eugene Teo (Security Response) 2012-02-20 16:51:07 UTC 
https://lkml.org/lkml/2012/1/25/157
https://lkml.org/lkml/2012/2/1/638
https://lkml.org/lkml/2012/2/3/309
https://lkml.org/lkml/2012/2/7/469
Comment 5 errata-xmlrpc 2012-02-23 20:24:42 UTC 
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2012:0333 https://rhn.redhat.com/errata/RHSA-2012-0333.html
Comment 6 Eugene Teo (Security Response) 2012-02-24 14:31:30 UTC 
Upstream patches:
http://git.kernel.org/linus/968544b96be6801bee3e5974fd1dc29e5ab454ff
http://git.kernel.org/linus/1bb57b5ea265a1fe2974b6b84fe819489a37e6b3
Comment 7 Laurent Bonnaud 2012-03-23 17:14:47 UTC 
> http://git.kernel.org/linus/968544b96be6801bee3e5974fd1dc29e5ab454ff
> http://git.kernel.org/linus/1bb57b5ea265a1fe2974b6b84fe819489a37e6b3

Those links display a page with this error message:

404 - Unknown commit object
Comment 8 Eugene Teo (Security Response) 2012-03-26 07:11:26 UTC 
(In reply to comment #7)
> > http://git.kernel.org/linus/968544b96be6801bee3e5974fd1dc29e5ab454ff
> > http://git.kernel.org/linus/1bb57b5ea265a1fe2974b6b84fe819489a37e6b3
> 
> Those links display a page with this error message:
> 
> 404 - Unknown commit object

I might have mixed it up with an internal repo. I will get back to you on this. Thanks.
Comment 9 Eugene Teo (Security Response) 2012-03-27 08:05:27 UTC 
(Ignore comment #6-8)

Upstream patches:
http://git.kernel.org/?p=linux/kernel/git/rt/linux-stable-rt.git;a=commit;h=bcf6b1d78c0bde228929c388978ed3af9a623463
http://git.kernel.org/?p=linux/kernel/git/rt/linux-stable-rt.git;a=commit;h=e5d4e1c3ccee18c68f23d62ba77bda26e893d4f0
Comment 10 Eugene Teo (Security Response) 2012-03-27 08:06:26 UTC 
Statement:

This issue did not affect the Linux kernel as shipped with Red Hat Enterprise Linux 4, 5, and 6. This has been addressed in Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2012-0333.html.