Bug 853474 (CVE-2012-4398)

Summary: CVE-2012-4398 kernel: request_module() OOM local DoS
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agordeev, anton, bhu, davej, dhoward, dzickus, fhrbata, gansalmon, iboverma, itamar, jforbes, jkacur, jneedle, jonathan, jwboyer, kernel-maint, kernel-mgr, lgoncalv, lwang, madhu.chinakonda, mcressma, plougher, prarit, rt-maint, sforsber, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20120323,reported=20120507,source=researcher,cvss2=4.7/AV:L/AC:M/Au:N/C:N/I:N/A:C,rhel-5/kernel=affected,rhel-6/kernel=affected,mrg-2/realtime-kernel=affected,fedora-all/kernel=notaffected,rhel-7/kernel=notaffected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-24 09:30:04 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 819529, 819736, 858752, 858753, 858755    
Bug Blocks: 853475    

Description Petr Matousek 2012-08-31 12:34:46 EDT
As Tetsuo Handa pointed out, request_module() can stress the system while the oom-killed caller sleeps in TASK_UNINTERRUPTIBLE.

The task T uses "almost all" memory, then it does something which triggers request_module().  Say, it can simply call sys_socket().  This in turn needs more memory and leads to OOM.  oom-killer correctly chooses T and kills it, but this can't help because it sleeps in TASK_UNINTERRUPTIBLE and after that oom-killer becomes "disabled" by the TIF_MEMDIE task T.

A local unprivileged user can make the system unusable.

Upstream fixes:
(1) 70834d30 "usermodehelper: use UMH_WAIT_PROC consistently"
(2) b3449922 "usermodehelper: introduce umh_complete(sub_info)"
(3) d0bd587a "usermodehelper: implement UMH_KILLABLE"
(4) 9d944ef3 "usermodehelper: kill umh_wait, renumber UMH_* constants"
(5) 5b9bd473 "usermodehelper: ____call_usermodehelper() doesn't need do_exit()"
(6) 3e63a93b "kmod: introduce call_modprobe() helper"
(7) 1cc684ab "kmod: make __request_module() killable"

According to the reporter, (1) and (4) are optional and safer to exclude.

References:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/963685

Acknowledgements:

Red Hat would like to thank Tetsuo Handa for reporting this issue.
Comment 3 Petr Matousek 2012-09-19 11:40:28 EDT
Statement:

This issue does affect the versions of the Linux kernel as shipped with Red
Hat Enterprise Linux 5, 6 and Red Hat Enteprise MRG. Future kernel updates may address this flaw.
Comment 4 errata-xmlrpc 2012-09-19 14:04:23 EDT
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2012:1282 https://rhn.redhat.com/errata/RHSA-2012-1282.html
Comment 6 errata-xmlrpc 2013-02-05 14:55:50 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0223 https://rhn.redhat.com/errata/RHSA-2013-0223.html
Comment 10 errata-xmlrpc 2013-09-30 19:32:42 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1348 https://rhn.redhat.com/errata/RHSA-2013-1348.html