Bug 499089 - Request to include (CVE-2008-4307) CVE-2008-4307 Kernel BUG() in locks_remove_flock patch in RHEL4.x & 5.x Kernel
Summary: Request to include (CVE-2008-4307) CVE-2008-4307 Kernel BUG() in locks_remove...
Status: CLOSED DUPLICATE of bug 456282
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel
Version: 4.6
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Red Hat Kernel Manager
QA Contact: Red Hat Kernel QE team
Depends On:
TreeView+ depends on / blocked
Reported: 2009-05-05 07:26 UTC by Raghavendra Badiger
Modified: 2009-11-05 18:50 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-05-13 02:36:57 UTC

Attachments (Terms of Use)

Description Raghavendra Badiger 2009-05-05 07:26:36 UTC
Description of problem:

RHEL4.x Kernel (2.6.9-67) and even latest RHEL4.x kernel Update is missing suggested patch in Bugzilla (https://bugzilla.redhat.com/show_bug.cgi?id=456282)
(CVE-2008-4307) CVE-2008-4307 Kernel BUG() in locks_remove_flock  (edit)

The reported issue in BZ456282 can be readily reproducible on RHEL4.6 with test programs(lockit.c,locker.c) and  steps given in the Bugzilla 456282 resulting 
kernel panic with below stack trace.

This Bugzilla is to request to include this patch in Next RHEL 4.X and 5.X kernel updates as both seem to have this issue due to missing patch.
# crash /boot/System.map-2.6.9-67.XCsmp /boot/vmlinux-2.6.9-67.XCsmp /var/log/dump/0/dump.0 

crash 4.0-3.9.lnxhpc.1
 SYSTEM MAP: /boot/System.map-2.6.9-67.XCsmp                  
DEBUG KERNEL: /boot/vmlinux-2.6.9-67.XCsmp (2.6.9-67.XCsmp)
    DUMPFILE: /var/log/dump/0/dump.0
        CPUS: 4
        DATE: Thu Mar 19 12:40:23 2009
      UPTIME: 20 days, 00:26:58
LOAD AVERAGE: 0.68, 0.17, 0.10
       TASKS: 417
    NODENAME: n0
     RELEASE: 2.6.9-67.XCsmp
     VERSION: #1 SMP Mon Aug 11 20:21:11 EDT 2008
     MACHINE: x86_64  (1866 Mhz)
      MEMORY: 17 GB
       PANIC: "invalid operand"
         PID: 22550
     COMMAND: "locker"
        TASK: 1041f9ad810  [THREAD_INFO: 101c9fa4000]
         CPU: 0
crash> bt
PID: 22550  TASK: 1041f9ad810       CPU: 0   COMMAND: "locker"
 #0 [101c9fa78a8] schedule at ffffffff8031a0eb
 #1 [101c9fa7db0] error_exit at ffffffff80110e4d
    [exception RIP: locks_remove_flock+201]
    RIP: ffffffff80191e92  RSP: 00000101c9fa7e68  RFLAGS: 00010246
    RAX: 000001042ca38f60  RBX: 00000103b398de80  RCX: 0000000000000003
    RDX: 0000000000000000  RSI: 000000000000007c  RDI: ffffffff80525180
    RBP: 00000103b398dd70   R8: 000000000000270f   R9: 000001042fb85000
    R10: 000001042fb85000  R11: 000001042b8cf100  R12: 00000103e400b340
    R13: 00000103b3e219a8  R14: 0000000000000003  R15: 0000003a2720d280
    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
 #2 [101c9fa7e60] locks_remove_flock at ffffffff80191e46
 #3 [101c9fa7e90] fcntl_setlk at ffffffff80191c19
 #4 [101c9fa7ea0] tty_ldisc_deref at ffffffff8022f8bc
 #5 [101c9fa7ec0] tty_write at ffffffff8022ffe3
 #6 [101c9fa7ee0] dnotify_parent at ffffffff80197334
 #7 [101c9fa7f20] __fput at ffffffff8017cb6d
 #8 [101c9fa7f50] sys_fcntl at ffffffff8018de39
 #9 [101c9fa7f80] system_call at ffffffff8011029a
    RIP: 0000003a2720b3fa  RSP: 00000000409fd840  RFLAGS: 00010246
    RAX: 0000000000000048  RBX: ffffffff8011029a  RCX: 00000000ffffffff
    RDX: 0000000040a00110  RSI: 0000000000000007  RDI: 0000000000000003
    RBP: 0000000000000000   R8: 0000000000000000   R9: 00000000ffffffff
    R10: 0000000040a00001  R11: 0000000000000206  R12: 0000003a2720d280
    R13: 0000003a272060a0  R14: 0000000000000003  R15: 0000000040a00110
    ORIG_RAX: 0000000000000048  CS: 0033  SS: 002b 

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

This problem can be reproduced with the test programs(lockit.c,locker.c) and  steps given in the following Bugzilla


Steps to reproduce:

1. Mount a writable NFS volume from a remote host with nfslock running.
2. Compile the two test programs
gcc -pthread -Wall -o locker locker.c
gcc -Wall -o lockit lockit.c
3. In one terminal start lockit running on a file on the NFS volume:

# lockit /mnt/test

4. In a 2nd terminal start locker running on the same file:

# locker /mnt/test

5. Terminate lockit (CTRL-C)

Actual results:
# ./locker /mnt/locktest
pid 4907 main launching thread
pid 4907 thread 4908 in do_lock
pid 4907 thread 4908  locking
Read from remote host p380-1.gsslab: Connection reset by peer
Connection to p380-1.gsslab closed.

Host died with BUG() in comment #2

Expected results:

Actual results:
Kernel panic with above stack trace

Expected results:
No Panic

Additional info:

Comment 1 Linda Wang 2009-05-13 02:36:57 UTC
Thank you for your bug report.

Please see the following bugzilla ids for corresponding 
RHEL4.X and RHEL5.X bugs:

Affects: rhel-4.7.z [bug #456284]
Affects: rhel-4.8 [bug #456285]
Affects: rhel-5.3.z [bug #456287]
Affects: rhel-5.4 [bug #456288]  

Close this as dup to the master CVE-2008-4307, bug 456282

*** This bug has been marked as a duplicate of bug 456282 ***

Comment 2 Jonathan Quist 2009-11-05 18:50:52 UTC
Not sure this bug was properly closed - it is not actually a duplicate of 456282. 456282 describes the problem, 499089 was opened on the basis that the fix provided in errata for RHEL 4.7 was not incorporated into 4.8.

Note You need to log in before you can comment on or make changes to this bug.