Description of problem: RHEL4.x Kernel (2.6.9-67) and even latest RHEL4.x kernel Update is missing suggested patch in Bugzilla (https://bugzilla.redhat.com/show_bug.cgi?id=456282) (CVE-2008-4307) CVE-2008-4307 Kernel BUG() in locks_remove_flock (edit) The reported issue in BZ456282 can be readily reproducible on RHEL4.6 with test programs(lockit.c,locker.c) and steps given in the Bugzilla 456282 resulting kernel panic with below stack trace. This Bugzilla is to request to include this patch in Next RHEL 4.X and 5.X kernel updates as both seem to have this issue due to missing patch. # crash /boot/System.map-2.6.9-67.XCsmp /boot/vmlinux-2.6.9-67.XCsmp /var/log/dump/0/dump.0 crash 4.0-3.9.lnxhpc.1 .... SYSTEM MAP: /boot/System.map-2.6.9-67.XCsmp DEBUG KERNEL: /boot/vmlinux-2.6.9-67.XCsmp (2.6.9-67.XCsmp) DUMPFILE: /var/log/dump/0/dump.0 CPUS: 4 DATE: Thu Mar 19 12:40:23 2009 UPTIME: 20 days, 00:26:58 LOAD AVERAGE: 0.68, 0.17, 0.10 TASKS: 417 NODENAME: n0 RELEASE: 2.6.9-67.XCsmp VERSION: #1 SMP Mon Aug 11 20:21:11 EDT 2008 MACHINE: x86_64 (1866 Mhz) MEMORY: 17 GB PANIC: "invalid operand" PID: 22550 COMMAND: "locker" TASK: 1041f9ad810 [THREAD_INFO: 101c9fa4000] CPU: 0 STATE: TASK_RUNNING (PANIC) crash> bt PID: 22550 TASK: 1041f9ad810 CPU: 0 COMMAND: "locker" #0 [101c9fa78a8] schedule at ffffffff8031a0eb #1 [101c9fa7db0] error_exit at ffffffff80110e4d [exception RIP: locks_remove_flock+201] RIP: ffffffff80191e92 RSP: 00000101c9fa7e68 RFLAGS: 00010246 RAX: 000001042ca38f60 RBX: 00000103b398de80 RCX: 0000000000000003 RDX: 0000000000000000 RSI: 000000000000007c RDI: ffffffff80525180 RBP: 00000103b398dd70 R8: 000000000000270f R9: 000001042fb85000 R10: 000001042fb85000 R11: 000001042b8cf100 R12: 00000103e400b340 R13: 00000103b3e219a8 R14: 0000000000000003 R15: 0000003a2720d280 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 #2 [101c9fa7e60] locks_remove_flock at ffffffff80191e46 #3 [101c9fa7e90] fcntl_setlk at ffffffff80191c19 #4 [101c9fa7ea0] tty_ldisc_deref at ffffffff8022f8bc #5 [101c9fa7ec0] tty_write at ffffffff8022ffe3 #6 [101c9fa7ee0] dnotify_parent at ffffffff80197334 #7 [101c9fa7f20] __fput at ffffffff8017cb6d #8 [101c9fa7f50] sys_fcntl at ffffffff8018de39 #9 [101c9fa7f80] system_call at ffffffff8011029a RIP: 0000003a2720b3fa RSP: 00000000409fd840 RFLAGS: 00010246 RAX: 0000000000000048 RBX: ffffffff8011029a RCX: 00000000ffffffff RDX: 0000000040a00110 RSI: 0000000000000007 RDI: 0000000000000003 RBP: 0000000000000000 R8: 0000000000000000 R9: 00000000ffffffff R10: 0000000040a00001 R11: 0000000000000206 R12: 0000003a2720d280 R13: 0000003a272060a0 R14: 0000000000000003 R15: 0000000040a00110 ORIG_RAX: 0000000000000048 CS: 0033 SS: 002b Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: This problem can be reproduced with the test programs(lockit.c,locker.c) and steps given in the following Bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=456282 Steps to reproduce: 1. Mount a writable NFS volume from a remote host with nfslock running. 2. Compile the two test programs gcc -pthread -Wall -o locker locker.c gcc -Wall -o lockit lockit.c 3. In one terminal start lockit running on a file on the NFS volume: # lockit /mnt/test 4. In a 2nd terminal start locker running on the same file: # locker /mnt/test 5. Terminate lockit (CTRL-C) Actual results: # ./locker /mnt/locktest pid 4907 main launching thread pid 4907 thread 4908 in do_lock pid 4907 thread 4908 locking Read from remote host p380-1.gsslab: Connection reset by peer Connection to p380-1.gsslab closed. Host died with BUG() in comment #2 Expected results: Actual results: Kernel panic with above stack trace Expected results: No Panic Additional info:
Thank you for your bug report. Please see the following bugzilla ids for corresponding RHEL4.X and RHEL5.X bugs: Affects: rhel-4.7.z [bug #456284] Affects: rhel-4.8 [bug #456285] Affects: rhel-5.3.z [bug #456287] Affects: rhel-5.4 [bug #456288] Close this as dup to the master CVE-2008-4307, bug 456282 *** This bug has been marked as a duplicate of bug 456282 ***
Not sure this bug was properly closed - it is not actually a duplicate of 456282. 456282 describes the problem, 499089 was opened on the basis that the fix provided in errata for RHEL 4.7 was not incorporated into 4.8.