Bug 184510 - CVE-2006-0557 get_nodes crash
Summary: CVE-2006-0557 get_nodes crash
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel   
(Show other bugs)
Version: 4.0
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
: ---
Assignee: Ernie Petrides
QA Contact: Brian Brock
URL:
Whiteboard: public=20060217,source=vendorsec,repo...
Keywords:
: 183665 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-03-09 13:16 UTC by Mark J. Cox
Modified: 2007-11-30 22:07 UTC (History)
4 users (show)

Fixed In Version: RHBA-2007-0304
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-05-08 00:42:49 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
test program used to validate fix (448 bytes, patch)
2006-05-12 00:23 UTC, Ernie Petrides
no flags Details | Diff
RHEL4 U4 patch resolving this problem (282 bytes, patch)
2006-05-12 00:30 UTC, Ernie Petrides
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2007:0304 normal SHIPPED_LIVE Updated kernel packages available for Red Hat Enterprise Linux 4 Update 5 2007-04-28 18:58:50 UTC

Description Mark J. Cox 2006-03-09 13:16:01 UTC
Mike O'Connor noted to vendor-sec that the following commit fixes a local DoS
where an unprivileged user calls get_nodes with maxnodes set to between between
((-2 * (BITS_PER_LONG - 1) and 0.

Fixed by
http://linux.bkbits.net:8080/linux-2.6/cset@43f64992qvJ8Nep24rdzy0AROhhGiw
but then corrected to
http://linux.bkbits.net:8080/linux-2.6/cset@43fa9051sxog2Snggt2j_-aUDTdMwA

Comment 1 Ernie Petrides 2006-05-11 22:40:35 UTC
I've determined that RHEL4 U4 is *not* vulnerable to this DoS because
of the difference in stack layout of the callers of get_nodes().  Please
downgrade this bug to a non-security issue and record that RHEL4 isn't
vulerable to CVE-2006-0557.

However, there is still a bug in RHEL4 in the validation of "maxnodes",
although I have yet determined how to verify what improper syscall
behavior might occur.  A value of of -(BITS_PER_LONG-1) to -1 will
cause the local variable "start" inside sys_mbind() to be overwritten,
which is likely to cause improper mbind(2) syscall operation (but no crash).

Comment 2 Ernie Petrides 2006-05-11 22:50:39 UTC
A similar situation exists for the set_mempolicy(2) syscall, which
also causes the same get_nodes() function call (but no crash).

Comment 4 Ernie Petrides 2006-05-12 00:30:58 UTC
Created attachment 128925 [details]
RHEL4 U4 patch resolving this problem

Note that the upstream patch refers to the identifier BITS_PER_BYTE,
which is not defined in RHEL4.	It's more efficient to test for a zero
"nlongs" value anyway.

Patch posted for review on 11-May-2006.

Comment 7 Ernie Petrides 2006-05-12 18:17:28 UTC
Another relevant aspect of this problem is that the code with the bug
is only compiled into kernels with CONFIG_NUMA enabled.  The following
config files set this:

  config-i686-hugemem
  config-ia64-generic
  config-ppc64-generic
  config-x86_64-generic

Thus, the only potential exposure on RHEL4 is with these configs.  I've
only tested x86_64.  Jason is going to test the x86 hugemem kernel shortly.

The test program in comment #3 should be used with the -1L parameter set to
-31L (for i686) or -63L (for ia64 or ppc64) to check for crashses.


Comment 8 Ernie Petrides 2006-05-12 18:22:27 UTC
Correction to last comment: the i686-hugemem config is not used on RHEL4.

Thus, there is no possible exposure to this bug on any x86 RHEL4 kernel.

Comment 9 Jason Baron 2006-05-12 20:00:20 UTC
*** Bug 183665 has been marked as a duplicate of this bug. ***

Comment 11 Jason Baron 2006-08-21 20:42:01 UTC
committed in stream U5 build 42.2. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/


Comment 12 RHEL Product and Program Management 2006-09-07 19:29:23 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 13 RHEL Product and Program Management 2006-09-07 19:29:27 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 14 RHEL Product and Program Management 2006-09-07 19:29:42 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 16 Mike Gahagan 2007-04-04 15:07:42 UTC
Verified that the patch is in the -52 kernel.



Comment 18 Red Hat Bugzilla 2007-05-08 00:42:49 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0304.html


Note You need to log in before you can comment on or make changes to this bug.