Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1094363 - (CVE-2014-0203) CVE-2014-0203 kernel: fs: slab corruption due to the invalid last component type during do_filp_open()
CVE-2014-0203 kernel: fs: slab corruption due to the invalid last component t...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20140619,repor...
: Security
Depends On: 1079347 1094370
Blocks: 1094374
  Show dependency treegraph
 
Reported: 2014-05-05 10:10 EDT by Petr Matousek
Modified: 2015-07-31 03:20 EDT (History)
18 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-23 02:54:12 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0771 normal SHIPPED_LIVE Important: kernel security and bug fix update 2014-06-19 17:52:21 EDT

  None (edit)
Description Petr Matousek 2014-05-05 10:10:08 EDT 
It was found that proc_ns_follow_link() doesn't return LAST_BIND (unlike
proc_pid_follow_link()) which leads to the slab corruption caused by
(excessive) putname() in do_filp_open().

The slab corruption later manifests itself in the form of BUG() in
cache_alloc_refill() when performing "$ echo > /proc/$$/ns/pid" --

kernel BUG at mm/slab.c:3069!
invalid opcode: 0000 [#1] SMP
last sysfs file: /sys/devices/system/node/node0/meminfo
CPU 1
Modules linked in:
Pid: 2249, comm: bash Not tainted 2.6.32-431.5.1.el6.x86_64 #1
RIP: 0010:[<ffffffff8116ed14>]  [<ffffffff8116ed14>] cache_alloc_refill+0x1e4/0x240
RSP: 0018:ffff88007b69fe38  EFLAGS: 00010082
RAX: 000000000000000c RBX: ffff88007ec30f00 RCX: 00000000ffffffff
RDX: 000000000000000c RSI: 0000000000000000 RDI: ffff88007fa96580
RBP: ffff88007b69fe98 R08: 0000000000000000 R09: 000000000000002a
R10: 0000000000000076 R11: 0000000000000000 R12: ffff88007fa96580
R13: ffff88007fae8c40 R14: 000000000000000c R15: ffff88007d9386c0
FS:  00007f6f8819b700(0000) GS:ffff88000c420000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000006d3d88 CR3: 00000000374d1000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process bash (pid: 2249, threadinfo ffff88007b69e000, task ffff8800379a5540)
Stack:
 ffff88007b69fe58 00000000811a1edf ffff88007fae8c80 000412d07bdf1500
 ffff88007fae8c60 ffff88007fae8c50 ffff88007b69feb8 0000000001440530
 00000000000000d0 ffff88007ec30f00 00000000000000d0 0000000000000246
Call Trace:
 [<ffffffff8116fdcf>] kmem_cache_alloc+0x15f/0x190
 [<ffffffff81196ff7>] getname+0x47/0x240
 [<ffffffff81185ce2>] do_sys_open+0x32/0x140
 [<ffffffff81185e30>] sys_open+0x20/0x30
 [<ffffffff8100b072>] system_call_fastpath+0x16/0x1b
Code: 89 ff e8 70 57 12 00 eb 99 66 0f 1f 44 00 00 41 c7 45 60 01 00 00 00 4d 8b 7d 20 4c 39 7d c0 0f 85 f2 fe ff ff eb 84 0f 0b eb fe <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 eb f4 8b 55 ac 8b 75 bc 31
RIP  [<ffffffff8116ed14>] cache_alloc_refill+0x1e4/0x240
 RSP <ffff88007b69fe38>

An unprivileged local user could use this flaw to crash the system.
 
Upstream fix:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=86acdca1b63e6890540fa19495cfc708beff3d8b

Acknowledgements:

Red Hat would like to thank Vladimir Davydov of Parallels for reporting this issue.
Comment 2 Petr Matousek 2014-06-18 05:57:54 EDT 
Statement:

This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5, 7 and Red Hat Enterprise MRG 2.
Comment 3 errata-xmlrpc 2014-06-19 13:53:55 EDT 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0771 https://rhn.redhat.com/errata/RHSA-2014-0771.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.