Bug 461082 - (CVE-2007-6716) CVE-2007-6716 kernel: dio: zero struct dio with kzalloc instead of manually
CVE-2007-6716 kernel: dio: zero struct dio with kzalloc instead of manually
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
reported=20080903:1911,public=2007072...
: Security
Depends On: 439918 461089 461090 461091 463868
Blocks:
  Show dependency treegraph
 
Reported: 2008-09-03 22:36 EDT by Eugene Teo (Security Response)
Modified: 2010-12-21 12:37 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-21 12:37:57 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Upstream patch for this issue (2.89 KB, patch)
2008-09-03 22:43 EDT, Eugene Teo (Security Response)
no flags Details | Diff
jobfile for reproducer (773 bytes, text/plain)
2008-09-04 00:09 EDT, Eugene Teo (Security Response)
no flags Details

  None (edit)
Description Eugene Teo (Security Response) 2008-09-03 22:36:52 EDT
Description of problem:
To avoid exposing ourselves to the risk of finding another field like .map_bh.b_state where we rely on zeroing but don't enforce it in the code. The fix uses kzalloc to zero all the struct dio rather than manually trying to track which fields we rely on being zero.

Reference:
http://lkml.org/lkml/2007/7/26/88
Comment 2 Eugene Teo (Security Response) 2008-09-03 22:43:32 EDT
Created attachment 315715 [details]
Upstream patch for this issue
Comment 3 Eugene Teo (Security Response) 2008-09-03 22:44:25 EDT
Reproducer:
http://freshmeat.net/projects/fio/
http://lkml.org/lkml/2007/7/30/448
Comment 8 Eugene Teo (Security Response) 2008-09-04 00:09:22 EDT
Created attachment 315718 [details]
jobfile for reproducer
Comment 9 Zhang Kexin 2008-09-12 07:00:46 EDT
when I try to reproduce the bug on 2.6.18-92.1.10.el5, I met kernel panic.
On 2.6.18-92.1.13, the same happens.

the steps are as follows:
1. download fio-1.21.tar.bz2 from http://freshmeat.net/projects/fio/ and extract the file to /root/kzhang/fio directory
2. make & make install
3. download jobfile from https://bugzilla.redhat.com/attachment.cgi?id=315718
4. change the directory=/root/kzhang/fio
5. ./fio jobfile

the system would kernel panic, following is the backtrace.

Kernel BUG at mm/filemap.c:553
invalid opcode: 0000 [1] SMP
last sysfs file: /block/dm-0/stat
CPU 7
Modules linked in: autofs4 hidp rfcomm l2cap bluetooth sunrpc ipv6 xfrm_nalgo crypto_api cpufreq_ondemand acpi_cpufreq dm_multipath video sbs backlight i2c_ec i2c_core button battery asus_acpi acpi_memhotplug ac parport_pc lp parport joydev sr_mod sg bnx2 floppy serio_raw pcspkr ide_cd i5000_edac cdrom edac_mc shpchp dm_snapshot dm_zero dm_mirror dm_mod usb_storage ata_piix libata megaraid_sas sd_mod scsi_mod ext3 jbd uhci_hcd ohci_hcd ehci_hcd
Pid: 6447, comm: fio Not tainted 2.6.18-92.1.13.el5 #1
RIP: 0010:[<ffffffff80017c4a>]  [<ffffffff80017c4a>] unlock_page+0xf/0x2f
RSP: 0018:ffff810052605e18  EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff810000e32cf8 RCX: 0000000000000000
RDX: ffff810001918cf8 RSI: ffff81007fe1c550 RDI: ffff810000e32cf8
RBP: 00000000ffffffef R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffff81004f64e0e0
R13: 0000000000000000 R14: 0000000000001000 R15: ffff81005eec7220
FS:  00002b8a136f20f0(0000) GS:ffff81007fe1c3c0(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000003d846d3020 CR3: 0000000051e6b000 CR4: 00000000000006e0
Process fio (pid: 6447, threadinfo ffff810052604000, task ffff810051f330c0)
Stack:  ffff810000e32cf8 ffffffff800ec7cb ffff810052605e98 ffff81004f64e000
 ffff81007823ecc0 00000000000200d2 0000000000000010 ffff81004f64e0e0
 ffff81004f64e000 0000000000000000 0000000000000000 ffffffff802f66a0
Call Trace:
 [<ffffffff800ec7cb>] pipe_to_file+0x31d/0x32e
 [<ffffffff800ebc88>] splice_from_pipe+0x89/0x21a
 [<ffffffff800ec4ae>] pipe_to_file+0x0/0x32e
 [<ffffffff800ec04b>] generic_file_splice_write+0x21/0x8a
 [<ffffffff800ecd59>] sys_splice+0x119/0x238
 [<ffffffff8005d28d>] tracesys+0xd5/0xe0


Code: 0f 0b 68 97 3d 29 80 c2 29 02 48 89 df e8 b3 29 00 00 48 89
RIP  [<ffffffff80017c4a>] unlock_page+0xf/0x2f
 RSP <ffff810052605e18>
 <0>Kernel panic - not syncing: Fatal exception
Comment 17 Vincent Danen 2010-12-21 12:37:57 EST
This was addressed via:

Red Hat Enterprise Linux version 5 (RHSA-2008:0885)
Red Hat Enterprise Linux version 4 (RHSA-2008:0972)

Note You need to log in before you can comment on or make changes to this bug.