Mike O'Connor noted to vendor-sec that the following commit fixes a local DoS
where an unprivileged user calls get_nodes with maxnodes set to between between
((-2 * (BITS_PER_LONG - 1) and 0.
but then corrected to
I've determined that RHEL4 U4 is *not* vulnerable to this DoS because
of the difference in stack layout of the callers of get_nodes(). Please
downgrade this bug to a non-security issue and record that RHEL4 isn't
vulerable to CVE-2006-0557.
However, there is still a bug in RHEL4 in the validation of "maxnodes",
although I have yet determined how to verify what improper syscall
behavior might occur. A value of of -(BITS_PER_LONG-1) to -1 will
cause the local variable "start" inside sys_mbind() to be overwritten,
which is likely to cause improper mbind(2) syscall operation (but no crash).
A similar situation exists for the set_mempolicy(2) syscall, which
also causes the same get_nodes() function call (but no crash).
Created attachment 128925 [details]
RHEL4 U4 patch resolving this problem
Note that the upstream patch refers to the identifier BITS_PER_BYTE,
which is not defined in RHEL4. It's more efficient to test for a zero
"nlongs" value anyway.
Patch posted for review on 11-May-2006.
Another relevant aspect of this problem is that the code with the bug
is only compiled into kernels with CONFIG_NUMA enabled. The following
config files set this:
Thus, the only potential exposure on RHEL4 is with these configs. I've
only tested x86_64. Jason is going to test the x86 hugemem kernel shortly.
The test program in comment #3 should be used with the -1L parameter set to
-31L (for i686) or -63L (for ia64 or ppc64) to check for crashses.
Correction to last comment: the i686-hugemem config is not used on RHEL4.
Thus, there is no possible exposure to this bug on any x86 RHEL4 kernel.
*** Bug 183665 has been marked as a duplicate of this bug. ***
committed in stream U5 build 42.2. A test kernel with this patch is available
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release. Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products. This request is not yet committed for inclusion in an Update
Verified that the patch is in the -52 kernel.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.