Bug 227394 - CVE-2007-0006 spinlock cpu recursion
Summary: CVE-2007-0006 spinlock cpu recursion
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 5
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: David Howells
QA Contact: Brian Brock
: 227395 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2007-02-05 19:31 UTC by devon kerr
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Clone Of:
Last Closed: 2007-02-22 20:24:04 UTC

Attachments (Terms of Use)
This is the error log of the spinlock recursion (4.71 KB, application/rtf)
2007-02-05 19:31 UTC, devon kerr
no flags Details
Patch to fix the key serial no. collision problem (2.62 KB, patch)
2007-02-06 13:41 UTC, David Howells
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
Linux Kernel 7727 None None None Never

Description devon kerr 2007-02-05 19:31:51 UTC
Description of problem:
We would like to report an error we received from one of our web servers.  We
are hesitantly suggesting 
that this is a software issue:  we have an identical machine which has not
exhibited this error.  A line 
from the error log seems to provide some insight:

Dec 12 10:13:01 clio kernel:  <0>BUG: spinlock cpu recursion on CPU#1,
suexec/27413 (Not tainted)

the complete text of the error log has been attached

Version-Release number of selected component (if applicable):
Fedora Core 5; Linux Kernel 2.16.18-1.2239 for x86_64; Apache 2.2.3; php 5.1

How reproducible:
we have yet to reproduce this issue.

Steps to Reproduce:
Actual results:

Expected results:

Additional info:

Comment 1 devon kerr 2007-02-05 19:31:51 UTC
Created attachment 147394 [details]
This is the error log of the spinlock recursion

Comment 2 Chuck Ebbert 2007-02-05 21:23:17 UTC
*** Bug 227395 has been marked as a duplicate of this bug. ***

Comment 3 Chuck Ebbert 2007-02-05 22:08:50 UTC
This is the real problem:
Unable to handle kernel NULL pointer dereference at 0000000000000010
RIP:  [<ffffffff80225942>] __rb_rotate_left+0x7/0x5b
PGD 3a828067 PUD 3d934067 PMD 0 
Oops: 0000 [1] SMP 
last sysfs file: /block/hdb/size\
Modules linked in: ipv6 nfs lockd fscache nfs_acl rfcomm l2cap bluetooth sunrpc
dm_mirror dm_mod video sbs i2c_ec i2c_core button battery asus_acpi ac lp
parport_pc parport sg tg3 ide_cd cdrom shpchp k8_edac edac_mc ohci_hcd
serio_raw floppy ehci_hcd pcspkr raid1 ext3 jbd sata_svw libata sd_mod
Pid: 27406, comm: suexec Not tainted 2.6.18-1.2239.fc5 #1
RIP: 0010:[<ffffffff80225942>]  [<ffffffff80225942>] __rb_rotate_left+0x7/0x5b
RSP: 0018:ffff810151397df0  EFLAGS: 00010282\
RAX: ffff81005a1ded48 RBX: ffff810102505508 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff806de5e0 RDI: ffff810203166088
RBP: ffff810203166088 R08: ffff8102031668c8 R09: 0000000000000000
R10: 000000005e4ae5f3 R11: ffff810151397c70 R12: ffff810102505508
R13: ffff81005a1ded48 R14: ffffffff806de5e0 R15: 0000000000000026
FS:  00002aaaaaabb850(0000) GS:ffff810103c3b1c0(0000) knlGS: 00000000f7fee8d0
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000010 CR3: 00000000da38b000 CR4: 00000000000006e0
Process suexec (pid: 27406, threadinfo ffff810151396000, task ffff8101d7cf5080)
Stack:  ffffffff80212aff ffff81005a1ded40 ffff810102505518 0000000000000000
	ffff81005a1ded40 ffff810151397eb8 ffffffff80312779 0000000046f0a978
	0000000000000000 1f3f0000aa8adfff ffff8101d7cf5080 000003eaffffffff
Call Trace:
  [<ffffffff80212aff>] rb_insert_color+0xb2/0xda
  [<ffffffff80312779>] key_alloc+0x2b0/0x384
  [<ffffffff8031377b>] keyring_alloc+0x29/0x5f
  [<ffffffff80314ea2>] alloc_uid_keyring+0x3d/0xa6
  [<ffffffff80293a5c>] alloc_uid+0xa9/0x16f
  [<ffffffff802963d6>] set_user+0xf/0x97
  [<ffffffff80297b5c>] sys_setuid+0x7d/0x154
  [<ffffffff8025c00e>] system_call+0x7e/0x83
Code: 48 8b 51 10 49 83 e0 fc 48 85 d2 48 89 57 08 74 0c 48 8b 02

Comment 4 David Howells 2007-02-06 13:31:41 UTC
Duplicate of http://bugzilla.kernel.org/show_bug.cgi?id=7727

Comment 5 David Howells 2007-02-06 13:41:11 UTC
Created attachment 147464 [details]
Patch to fix the key serial no. collision problem

Note You need to log in before you can comment on or make changes to this bug.