Bug 243251 (CVE-2006-5158) - CVE-2006-5158 NFS lockd deadlock
Summary: CVE-2006-5158 NFS lockd deadlock
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2006-5158
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-06-08 10:02 UTC by Marcel Holtmann
Modified: 2021-11-12 19:34 UTC (History)
6 users (show)

Fixed In Version: RHSA-2007-0488
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-06-25 18:05:03 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0488 0 normal SHIPPED_LIVE Important: kernel security update 2008-01-09 18:29:42 UTC

Description Marcel Holtmann 2007-06-08 10:02:57 UTC 
Report from Matthias Andree:

kernel: Unable to handle kernel NULL pointer dereference at virtual address 0000000c
kernel:  printing eip:
kernel: c01abbb0
kernel: *pde = 00000000
kernel: Oops: 0000 [#1]
kernel: Modules linked in: softdog autofs4 nfsd exportfs thermal processor fan
button battery ac w83627h
f i2c_sensor i2c_isa i2c_viapro i2c_core usbserial ipt_REDIRECT ipt_multiport
parport_pc ipt_recent lp i
pt_REJECT ipt_LOG ipt_limit ipt_state parport iptable_filter iptable_mangle
8021q ipv6 joydev sg st sr_m
od ide_cd cdrom tun ip_nat_ftp iptable_nat ip_tables ip_conntrack_ftp
ip_conntrack via_agp agpgart ehci_
hcd uhci_hcd ext3 jbd evdev sd_mod scsi_mod via_rhine mii 3c59x usbcore xfs
kernel: CPU:    0
kernel: EIP:    0060:[<c01abbb0>]    Not tainted VLI
kernel: EFLAGS: 00010246   (2.6.8-24.23-default SL92_BRANCH-20060608133134)
kernel: EIP is at nlmclnt_mark_reclaim+0x50/0x70
kernel: eax: 00000000   ebx: d61298b4   ecx: d61298b8   edx: d6129b20
kernel: esi: de59abe0   edi: 0000000a   ebp: c03710f4   esp: d59dbf5c
kernel: ds: 007b   es: 007b   ss: 0068
kernel: Process lockd (pid: 5029, threadinfo=d59da000 task=dcf24aa0)
kernel: Stack: de59abe0 000000af c01abc40 de59abe0 d59dbf8c c01ad499 000000af
dfeba800
kernel:        c0371a78 c01b26a0 dfebaa00 c01b25f4 cb030002 2aa3d981 00000000
00000000
kernel:        dfebaa40 c02f2781 d5201014 00000001 00000001 dfebaa64 dfebaa40
c0371348
kernel: Call Trace:
kernel:  [<c01abc40>] nlmclnt_recovery+0x70/0xc0
kernel:  [<c01ad499>] nlm_host_rebooted+0x109/0x110
kernel:  [<c01b26a0>] nsmsvc_decode_stat_chge+0x0/0x80
kernel:  [<c01b25f4>] nsmsvc_proc_notify+0x34/0x50
kernel:  [<c02f2781>] svc_process+0x531/0x820
kernel:  [<c01ad949>] lockd+0x119/0x230
kernel:  [<c01ad830>] lockd+0x0/0x230
kernel:  [<c0104255>] kernel_thread_helper+0x5/0x10
kernel: Code: c2 0f 18 00 90 81 f9 6c ce 36 c0 74 34 8d 59 fc 8b 43 24 8b 40 08
8b 40 08 8b 80 94 00 00 
00 81 78 38 69 69 00 00 75 d3 8b 43 54 <39> 70 0c 75 cb 8b 43 50 a8 01 74 c4 83
c8 02 89 43 50 8b 11 eb

The oops is from a SuSE 9.2 kernel, but a Red Hat kernel should be also
vulnerable to this issue. While this is a simple NULL pointer dereference, it
seems to deadlock the NFS lockd and so allows a denial of service attack.
Comment 1 Jeff Layton 2007-06-08 10:39:24 UTC 

*** This bug has been marked as a duplicate of 210128 ***
Comment 2 Jeff Layton 2007-06-08 10:45:34 UTC 
My mistake, didn't realize this was on z-stream proposed. Might have been better
to clone the other BZ that contains the patch.
Comment 3 Jason Baron 2007-06-12 15:33:55 UTC 
 committed in stream rhel‑4.5.z build 55.0.1
Comment 6 Red Hat Bugzilla 2007-06-25 18:05:03 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0488.html
Note You need to log in before you can comment on or make changes to this bug.