Bug 218777 (CVE-2007-6733) - CVE-2007-6733 Kernel BUG at locks:1799
Summary: CVE-2007-6733 Kernel BUG at locks:1799
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2007-6733
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel
Version: 4.4
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Peter Staubach
QA Contact: Brian Brock
URL: http://lkml.org/lkml/2005/12/21/334
Whiteboard:
: 207737 208585 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-12-07 14:42 UTC by Sachin Prabhu
Modified: 2018-10-19 23:11 UTC (History)
5 users (show)

Fixed In Version: RHBA-2007-0304
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-05-08 04:23:37 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Proposed patch for 2.6.9-42.0.2.EL (424 bytes, patch)
2006-12-07 14:48 UTC, Sachin Prabhu 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2007:0304 0 normal SHIPPED_LIVE Updated kernel packages available for Red Hat Enterprise Linux 4 Update 5 2007-04-28 18:58:50 UTC

Description Sachin Prabhu 2006-12-07 14:42:47 UTC 
This problem was reported by ASANO Masahiro for the upstream kernel. 
http://lkml.org/lkml/2005/12/21/334

The change in locks_remove_flock for bz #160844 allows the local users to crash
the system. The nfs client prevents mandatory locking. The if statement checking
for this will allow a user to get the nfs client to leave behind posix locks by
changing the mode before unlocking. The changes in locks_remove_flock causes it
to throw a BUG().

Run the attached reproducer a few times on a RHEL 4 U4 server to cause a crash.
Comment 6 Jason Baron 2006-12-21 16:07:03 UTC 
committed in stream U5 build 42.30. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/
Comment 9 Jay Turner 2007-02-08 13:41:01 UTC 
QE ack for RHEL4.5.
Comment 11 Steve Cleveland 2007-02-26 17:43:19 UTC 
According to the included URL, this is a local user NFS exploit.  Is there any
way this bug could be hit by an nfs server or by a user inadvertently?  After a
recent kernel patch on our Sun NFS servers (to address DST), our linux CPU
server (multiple users via ssh) has crashed once about every 12 hours.  Those
Sun servers have been having other issues with NFS since the patch, so I'm
wondering if it's possible that the NFS communication could cause the crash. 
None of our linux workstations have had any problems, but they're likely not
hitting NFS as hard.

I applied the test kernel and so far so good.  Is there a way to get an official
kernel update in FastTrack, or any word on when it might be available on the
beta channel?

I realize this is probably better for a mailing list, but that mail thread is
over a year old.
Comment 12 Mike Gahagan 2007-04-03 16:15:24 UTC 
sucessfully tested using the reproducer and verified the patch is in the -52 kernel.
Comment 15 Red Hat Bugzilla 2007-05-08 04:23:37 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0304.html
Comment 19 Peter Staubach 2008-06-18 15:51:03 UTC 
*** Bug 208585 has been marked as a duplicate of this bug. ***
Comment 20 Eugene Teo (Security Response) 2010-03-17 01:30:29 UTC 
This issue has been assigned with CVE-2007-6733. It was reported back in 12/2006, and was found to be security-relevant while triaging CVE-2010-0727.
Comment 21 Jeff Layton 2010-03-17 12:24:59 UTC 
*** Bug 207737 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.