Bug 461082 (CVE-2007-6716) - CVE-2007-6716 kernel: dio: zero struct dio with kzalloc instead of manually
Summary: CVE-2007-6716 kernel: dio: zero struct dio with kzalloc instead of manually
Alias: CVE-2007-6716
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 439918 461089 461090 461091 463868
TreeView+ depends on / blocked
Reported: 2008-09-04 02:36 UTC by Eugene Teo (Security Response)
Modified: 2019-09-29 12:26 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-12-21 17:37:57 UTC

Attachments (Terms of Use)
Upstream patch for this issue (2.89 KB, patch)
2008-09-04 02:43 UTC, Eugene Teo (Security Response)
no flags Details | Diff
jobfile for reproducer (773 bytes, text/plain)
2008-09-04 04:09 UTC, Eugene Teo (Security Response)
no flags Details

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0885 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2008-09-24 18:45:31 UTC
Red Hat Product Errata RHSA-2008:0972 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2008-11-19 13:44:42 UTC

Description Eugene Teo (Security Response) 2008-09-04 02:36:52 UTC
Description of problem:
To avoid exposing ourselves to the risk of finding another field like .map_bh.b_state where we rely on zeroing but don't enforce it in the code. The fix uses kzalloc to zero all the struct dio rather than manually trying to track which fields we rely on being zero.


Comment 2 Eugene Teo (Security Response) 2008-09-04 02:43:32 UTC
Created attachment 315715 [details]
Upstream patch for this issue

Comment 3 Eugene Teo (Security Response) 2008-09-04 02:44:25 UTC

Comment 8 Eugene Teo (Security Response) 2008-09-04 04:09:22 UTC
Created attachment 315718 [details]
jobfile for reproducer

Comment 9 Zhang Kexin 2008-09-12 11:00:46 UTC
when I try to reproduce the bug on 2.6.18-92.1.10.el5, I met kernel panic.
On 2.6.18-92.1.13, the same happens.

the steps are as follows:
1. download fio-1.21.tar.bz2 from http://freshmeat.net/projects/fio/ and extract the file to /root/kzhang/fio directory
2. make & make install
3. download jobfile from https://bugzilla.redhat.com/attachment.cgi?id=315718
4. change the directory=/root/kzhang/fio
5. ./fio jobfile

the system would kernel panic, following is the backtrace.

Kernel BUG at mm/filemap.c:553
invalid opcode: 0000 [1] SMP
last sysfs file: /block/dm-0/stat
Modules linked in: autofs4 hidp rfcomm l2cap bluetooth sunrpc ipv6 xfrm_nalgo crypto_api cpufreq_ondemand acpi_cpufreq dm_multipath video sbs backlight i2c_ec i2c_core button battery asus_acpi acpi_memhotplug ac parport_pc lp parport joydev sr_mod sg bnx2 floppy serio_raw pcspkr ide_cd i5000_edac cdrom edac_mc shpchp dm_snapshot dm_zero dm_mirror dm_mod usb_storage ata_piix libata megaraid_sas sd_mod scsi_mod ext3 jbd uhci_hcd ohci_hcd ehci_hcd
Pid: 6447, comm: fio Not tainted 2.6.18-92.1.13.el5 #1
RIP: 0010:[<ffffffff80017c4a>]  [<ffffffff80017c4a>] unlock_page+0xf/0x2f
RSP: 0018:ffff810052605e18  EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff810000e32cf8 RCX: 0000000000000000
RDX: ffff810001918cf8 RSI: ffff81007fe1c550 RDI: ffff810000e32cf8
RBP: 00000000ffffffef R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffff81004f64e0e0
R13: 0000000000000000 R14: 0000000000001000 R15: ffff81005eec7220
FS:  00002b8a136f20f0(0000) GS:ffff81007fe1c3c0(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000003d846d3020 CR3: 0000000051e6b000 CR4: 00000000000006e0
Process fio (pid: 6447, threadinfo ffff810052604000, task ffff810051f330c0)
Stack:  ffff810000e32cf8 ffffffff800ec7cb ffff810052605e98 ffff81004f64e000
 ffff81007823ecc0 00000000000200d2 0000000000000010 ffff81004f64e0e0
 ffff81004f64e000 0000000000000000 0000000000000000 ffffffff802f66a0
Call Trace:
 [<ffffffff800ec7cb>] pipe_to_file+0x31d/0x32e
 [<ffffffff800ebc88>] splice_from_pipe+0x89/0x21a
 [<ffffffff800ec4ae>] pipe_to_file+0x0/0x32e
 [<ffffffff800ec04b>] generic_file_splice_write+0x21/0x8a
 [<ffffffff800ecd59>] sys_splice+0x119/0x238
 [<ffffffff8005d28d>] tracesys+0xd5/0xe0

Code: 0f 0b 68 97 3d 29 80 c2 29 02 48 89 df e8 b3 29 00 00 48 89
RIP  [<ffffffff80017c4a>] unlock_page+0xf/0x2f
 RSP <ffff810052605e18>
 <0>Kernel panic - not syncing: Fatal exception

Comment 17 Vincent Danen 2010-12-21 17:37:57 UTC
This was addressed via:

Red Hat Enterprise Linux version 5 (RHSA-2008:0885)
Red Hat Enterprise Linux version 4 (RHSA-2008:0972)

Note You need to log in before you can comment on or make changes to this bug.