Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 253926 - (CVE-2007-4133) CVE-2007-4133 prio_tree unit kernel panic
CVE-2007-4133 prio_tree unit kernel panic
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,source=redhat,reporte...
: Security
: 247806 253551 (view as bug list)
Depends On: 253929 253930
Blocks:
  Show dependency treegraph
 
Reported: 2007-08-22 18:56 EDT by Marcel Holtmann
Modified: 2018-10-19 15:46 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-09-28 16:31:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0940 normal SHIPPED_LIVE Important: kernel security update 2007-10-22 06:52:41 EDT

  None (edit)
Description Marcel Holtmann 2007-08-22 18:56:20 EDT 
hugetlb_vmtruncate_list was misconverted to prio_tree: its prio_tree is in units
of PAGE_SIZE (PAGE_CACHE_SIZE) like any other, not HPAGE_SIZE (whereas its
radix_tree is kept in units of HPAGE_SIZE, otherwise slots would be absurdly
sparse).

At first I thought the error benign, just calling __unmap_hugepage_range on more
vmas than necessary; but on 32-bit machines, when the prio_tree is searched
correctly, it happens to ensure the v_offset calculation won't overflow.  As it
stood, when truncating at or beyond 4GB, it was liable to discard pages COWed
from lower offsets; or even to clear pmd entries of preceding vmas, triggering
exit_mmap's BUG_ON(nr_ptes).
Comment 8 Kurt Seifried 2011-09-28 16:31:44 EDT 
All children bugs have been closed, parent is no longer needed.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.