Bug 218777 - (CVE-2007-6733) CVE-2007-6733 Kernel BUG at locks:1799
CVE-2007-6733 Kernel BUG at locks:1799
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
4.4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Peter Staubach
Brian Brock
http://lkml.org/lkml/2005/12/21/334
:
: 207737 208585 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-12-07 09:42 EST by Sachin Prabhu
Modified: 2010-10-22 03:19 EDT (History)
5 users (show)

See Also:
Fixed In Version: RHBA-2007-0304
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-05-08 00:23:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed patch for 2.6.9-42.0.2.EL (424 bytes, patch)
2006-12-07 09:48 EST, Sachin Prabhu
no flags Details | Diff

  None (edit)
Description Sachin Prabhu 2006-12-07 09:42:47 EST
This problem was reported by ASANO Masahiro for the upstream kernel. 
http://lkml.org/lkml/2005/12/21/334

The change in locks_remove_flock for bz #160844 allows the local users to crash
the system. The nfs client prevents mandatory locking. The if statement checking
for this will allow a user to get the nfs client to leave behind posix locks by
changing the mode before unlocking. The changes in locks_remove_flock causes it
to throw a BUG().

Run the attached reproducer a few times on a RHEL 4 U4 server to cause a crash.
Comment 6 Jason Baron 2006-12-21 11:07:03 EST
committed in stream U5 build 42.30. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/
Comment 9 Jay Turner 2007-02-08 08:41:01 EST
QE ack for RHEL4.5.
Comment 11 Steve Cleveland 2007-02-26 12:43:19 EST
According to the included URL, this is a local user NFS exploit.  Is there any
way this bug could be hit by an nfs server or by a user inadvertently?  After a
recent kernel patch on our Sun NFS servers (to address DST), our linux CPU
server (multiple users via ssh) has crashed once about every 12 hours.  Those
Sun servers have been having other issues with NFS since the patch, so I'm
wondering if it's possible that the NFS communication could cause the crash. 
None of our linux workstations have had any problems, but they're likely not
hitting NFS as hard.

I applied the test kernel and so far so good.  Is there a way to get an official
kernel update in FastTrack, or any word on when it might be available on the
beta channel?

I realize this is probably better for a mailing list, but that mail thread is
over a year old.
Comment 12 Mike Gahagan 2007-04-03 12:15:24 EDT
sucessfully tested using the reproducer and verified the patch is in the -52 kernel.

Comment 15 Red Hat Bugzilla 2007-05-08 00:23:37 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0304.html
Comment 19 Peter Staubach 2008-06-18 11:51:03 EDT
*** Bug 208585 has been marked as a duplicate of this bug. ***
Comment 20 Eugene Teo (Security Response) 2010-03-16 21:30:29 EDT
This issue has been assigned with CVE-2007-6733. It was reported back in 12/2006, and was found to be security-relevant while triaging CVE-2010-0727.
Comment 21 Jeff Layton 2010-03-17 08:24:59 EDT
*** Bug 207737 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.