253926 – (CVE-2007-4133) CVE-2007-4133 prio_tree unit kernel panic

Bug 253926 (CVE-2007-4133) - CVE-2007-4133 prio_tree unit kernel panic

Summary: CVE-2007-4133 prio_tree unit kernel panic

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2007-4133
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	247806 253551 (view as bug list)
Depends On:	253929 253930
Blocks:
TreeView+	depends on / blocked

Reported:	2007-08-22 22:56 UTC by Marcel Holtmann
Modified:	2021-11-12 19:42 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-09-28 20:31:44 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2007:0940	0	normal	SHIPPED_LIVE	Important: kernel security update	2007-10-22 10:52:41 UTC

Description Marcel Holtmann 2007-08-22 22:56:20 UTC

hugetlb_vmtruncate_list was misconverted to prio_tree: its prio_tree is in units
of PAGE_SIZE (PAGE_CACHE_SIZE) like any other, not HPAGE_SIZE (whereas its
radix_tree is kept in units of HPAGE_SIZE, otherwise slots would be absurdly
sparse).

At first I thought the error benign, just calling __unmap_hugepage_range on more
vmas than necessary; but on 32-bit machines, when the prio_tree is searched
correctly, it happens to ensure the v_offset calculation won't overflow.  As it
stood, when truncating at or beyond 4GB, it was liable to discard pages COWed
from lower offsets; or even to clear pmd entries of preceding vmas, triggering
exit_mmap's BUG_ON(nr_ptes).

Comment 8 Kurt Seifried 2011-09-28 20:31:44 UTC

All children bugs have been closed, parent is no longer needed.

Note You need to log in before you can comment on or make changes to this bug.