Bug 184510 - CVE-2006-0557 get_nodes crash
CVE-2006-0557 get_nodes crash
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
4.0
All Linux
medium Severity high
: ---
: ---
Assigned To: Ernie Petrides
Brian Brock
public=20060217,source=vendorsec,repo...
:
: 183665 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-03-09 08:16 EST by Mark J. Cox (Product Security)
Modified: 2007-11-30 17:07 EST (History)
4 users (show)

See Also:
Fixed In Version: RHBA-2007-0304
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-05-07 20:42:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
test program used to validate fix (448 bytes, patch)
2006-05-11 20:23 EDT, Ernie Petrides
no flags Details | Diff
RHEL4 U4 patch resolving this problem (282 bytes, patch)
2006-05-11 20:30 EDT, Ernie Petrides
no flags Details | Diff

  None (edit)
Description Mark J. Cox (Product Security) 2006-03-09 08:16:01 EST
Mike O'Connor noted to vendor-sec that the following commit fixes a local DoS
where an unprivileged user calls get_nodes with maxnodes set to between between
((-2 * (BITS_PER_LONG - 1) and 0.

Fixed by
http://linux.bkbits.net:8080/linux-2.6/cset@43f64992qvJ8Nep24rdzy0AROhhGiw
but then corrected to
http://linux.bkbits.net:8080/linux-2.6/cset@43fa9051sxog2Snggt2j_-aUDTdMwA
Comment 1 Ernie Petrides 2006-05-11 18:40:35 EDT
I've determined that RHEL4 U4 is *not* vulnerable to this DoS because
of the difference in stack layout of the callers of get_nodes().  Please
downgrade this bug to a non-security issue and record that RHEL4 isn't
vulerable to CVE-2006-0557.

However, there is still a bug in RHEL4 in the validation of "maxnodes",
although I have yet determined how to verify what improper syscall
behavior might occur.  A value of of -(BITS_PER_LONG-1) to -1 will
cause the local variable "start" inside sys_mbind() to be overwritten,
which is likely to cause improper mbind(2) syscall operation (but no crash).
Comment 2 Ernie Petrides 2006-05-11 18:50:39 EDT
A similar situation exists for the set_mempolicy(2) syscall, which
also causes the same get_nodes() function call (but no crash).
Comment 4 Ernie Petrides 2006-05-11 20:30:58 EDT
Created attachment 128925 [details]
RHEL4 U4 patch resolving this problem

Note that the upstream patch refers to the identifier BITS_PER_BYTE,
which is not defined in RHEL4.	It's more efficient to test for a zero
"nlongs" value anyway.

Patch posted for review on 11-May-2006.
Comment 7 Ernie Petrides 2006-05-12 14:17:28 EDT
Another relevant aspect of this problem is that the code with the bug
is only compiled into kernels with CONFIG_NUMA enabled.  The following
config files set this:

  config-i686-hugemem
  config-ia64-generic
  config-ppc64-generic
  config-x86_64-generic

Thus, the only potential exposure on RHEL4 is with these configs.  I've
only tested x86_64.  Jason is going to test the x86 hugemem kernel shortly.

The test program in comment #3 should be used with the -1L parameter set to
-31L (for i686) or -63L (for ia64 or ppc64) to check for crashses.
Comment 8 Ernie Petrides 2006-05-12 14:22:27 EDT
Correction to last comment: the i686-hugemem config is not used on RHEL4.

Thus, there is no possible exposure to this bug on any x86 RHEL4 kernel.
Comment 9 Jason Baron 2006-05-12 16:00:20 EDT
*** Bug 183665 has been marked as a duplicate of this bug. ***
Comment 11 Jason Baron 2006-08-21 16:42:01 EDT
committed in stream U5 build 42.2. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/
Comment 12 RHEL Product and Program Management 2006-09-07 15:29:23 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 13 RHEL Product and Program Management 2006-09-07 15:29:27 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 14 RHEL Product and Program Management 2006-09-07 15:29:42 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 16 Mike Gahagan 2007-04-04 11:07:42 EDT
Verified that the patch is in the -52 kernel.

Comment 18 Red Hat Bugzilla 2007-05-07 20:42:49 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0304.html

Note You need to log in before you can comment on or make changes to this bug.