Mike O'Connor noted to vendor-sec that the following commit fixes a local DoS where an unprivileged user calls get_nodes with maxnodes set to between between ((-2 * (BITS_PER_LONG - 1) and 0. Fixed by http://linux.bkbits.net:8080/linux-2.6/cset@43f64992qvJ8Nep24rdzy0AROhhGiw but then corrected to http://linux.bkbits.net:8080/linux-2.6/cset@43fa9051sxog2Snggt2j_-aUDTdMwA
I've determined that RHEL4 U4 is *not* vulnerable to this DoS because of the difference in stack layout of the callers of get_nodes(). Please downgrade this bug to a non-security issue and record that RHEL4 isn't vulerable to CVE-2006-0557. However, there is still a bug in RHEL4 in the validation of "maxnodes", although I have yet determined how to verify what improper syscall behavior might occur. A value of of -(BITS_PER_LONG-1) to -1 will cause the local variable "start" inside sys_mbind() to be overwritten, which is likely to cause improper mbind(2) syscall operation (but no crash).
A similar situation exists for the set_mempolicy(2) syscall, which also causes the same get_nodes() function call (but no crash).
Created attachment 128925 [details] RHEL4 U4 patch resolving this problem Note that the upstream patch refers to the identifier BITS_PER_BYTE, which is not defined in RHEL4. It's more efficient to test for a zero "nlongs" value anyway. Patch posted for review on 11-May-2006.
Another relevant aspect of this problem is that the code with the bug is only compiled into kernels with CONFIG_NUMA enabled. The following config files set this: config-i686-hugemem config-ia64-generic config-ppc64-generic config-x86_64-generic Thus, the only potential exposure on RHEL4 is with these configs. I've only tested x86_64. Jason is going to test the x86 hugemem kernel shortly. The test program in comment #3 should be used with the -1L parameter set to -31L (for i686) or -63L (for ia64 or ppc64) to check for crashses.
Correction to last comment: the i686-hugemem config is not used on RHEL4. Thus, there is no possible exposure to this bug on any x86 RHEL4 kernel.
*** Bug 183665 has been marked as a duplicate of this bug. ***
committed in stream U5 build 42.2. A test kernel with this patch is available from http://people.redhat.com/~jbaron/rhel4/
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
Verified that the patch is in the -52 kernel.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0304.html