Bug 530490 (CVE-2009-3547) - CVE-2009-3547 kernel: fs: pipe.c null pointer dereference
Summary: CVE-2009-3547 kernel: fs: pipe.c null pointer dereference
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-3547
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 530934 530935 530936 530937 530938 530939 531656 533097 533098 533099 537294
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-10-23 04:16 UTC by Eugene Teo (Security Response)
Modified: 2019-09-29 12:33 UTC (History)
28 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-03-28 08:08:52 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1540 normal SHIPPED_LIVE Important: kernel-rt security, bug fix, and enhancement update 2009-11-03 18:21:07 UTC
Red Hat Product Errata RHSA-2009:1541 normal SHIPPED_LIVE Important: kernel security update 2009-11-03 19:12:49 UTC
Red Hat Product Errata RHSA-2009:1548 normal SHIPPED_LIVE Important: kernel security and bug fix update 2009-11-03 19:33:33 UTC
Red Hat Product Errata RHSA-2009:1550 normal SHIPPED_LIVE Important: kernel security and bug fix update 2009-11-03 21:59:47 UTC
Red Hat Product Errata RHSA-2009:1587 normal SHIPPED_LIVE Important: kernel security and bug fix update 2009-11-17 15:23:31 UTC
Red Hat Product Errata RHSA-2009:1588 normal SHIPPED_LIVE Important: kernel security update 2009-11-17 15:25:58 UTC
Red Hat Product Errata RHSA-2009:1672 normal SHIPPED_LIVE Important: kernel security and bug fix update 2009-12-16 07:53:20 UTC

Comment 4 Eugene Teo (Security Response) 2009-10-26 07:16:09 UTC
Quote from the upstream commit:
fs: pipe.c null pointer dereference
    
This patch fixes a null pointer exception in pipe_rdwr_open() which generates the stack trace:
    
> Unable to handle kernel NULL pointer dereference at 0000000000000028 RIP:
>  [<ffffffff802899a5>] pipe_rdwr_open+0x35/0x70
>  [<ffffffff8028125c>] __dentry_open+0x13c/0x230
>  [<ffffffff8028143d>] do_filp_open+0x2d/0x40
>  [<ffffffff802814aa>] do_sys_open+0x5a/0x100
>  [<ffffffff8021faf3>] sysenter_do_call+0x1b/0x67
    
The failure mode is triggered by an attempt to open an anonymous pipe via /proc/pid/fd/* as exemplified by this script:
    
=============================================================
while : ; do
   { echo y ; sleep 1 ; } | { while read ; do echo z$REPLY; done ; } &
   PID=$!
   OUT=$(ps -efl | grep 'sleep 1' | grep -v grep |
        { read PID REST ; echo $PID; } )
   OUT="${OUT%% *}"
   DELAY=$((RANDOM * 1000 / 32768))
   usleep $((DELAY * 1000 + RANDOM % 1000 ))
   echo n > /proc/$OUT/fd/1                 # Trigger defect
done
=============================================================
    
Note that the failure window is quite small and I could only reliably reproduce the defect by inserting a small delay in pipe_rdwr_open(). For example:

 static int
 pipe_rdwr_open(struct inode *inode, struct file *filp)
 {
       msleep(100);
       mutex_lock(&inode->i_mutex);

Although the defect was observed in pipe_rdwr_open(), I think it makes sense to replicate the change through all the pipe_*_open() functions.
    
The core of the change is to verify that inode->i_pipe has not been released before attempting to manipulate it. If inode->i_pipe is no longer present, return ENOENT to indicate so.
    
The comment about potentially using atomic_t for i_pipe->readers and i_pipe->writers has also been removed because it is no longer relevant in this context. The inode->i_mutex lock must be used so that inode->i_pipe can be dealt with correctly.

http://lkml.org/lkml/2009/10/14/184
http://lkml.org/lkml/2009/10/21/42
http://git.kernel.org/linus/ad3960243e55320d74195fb85c975e0a8cc4466c

Comment 10 errata-xmlrpc 2009-11-03 18:21:24 UTC
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2009:1540 https://rhn.redhat.com/errata/RHSA-2009-1540.html

Comment 11 errata-xmlrpc 2009-11-03 19:12:54 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:1541 https://rhn.redhat.com/errata/RHSA-2009-1541.html

Comment 12 errata-xmlrpc 2009-11-03 19:33:47 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1548 https://rhn.redhat.com/errata/RHSA-2009-1548.html

Comment 14 errata-xmlrpc 2009-11-03 22:03:31 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2009:1550 https://rhn.redhat.com/errata/RHSA-2009-1550.html

Comment 17 Fedora Update System 2009-11-05 04:56:59 UTC
kernel-2.6.30.9-96.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/kernel-2.6.30.9-96.fc11

Comment 18 Fedora Update System 2009-11-05 05:05:36 UTC
kernel-2.6.30.9-96.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/kernel-2.6.30.9-96.fc11

Comment 19 Fedora Update System 2009-11-05 05:14:31 UTC
kernel-2.6.27.38-170.2.113.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/kernel-2.6.27.38-170.2.113.fc10

Comment 20 Fedora Update System 2009-11-06 00:02:49 UTC
kernel-2.6.30.9-96.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 21 Fedora Update System 2009-11-06 00:04:43 UTC
kernel-2.6.27.38-170.2.113.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 23 errata-xmlrpc 2009-11-17 15:23:37 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.3.Z - Server Only

Via RHSA-2009:1587 https://rhn.redhat.com/errata/RHSA-2009-1587.html

Comment 24 errata-xmlrpc 2009-11-17 15:26:35 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4.7 Z Stream

Via RHSA-2009:1588 https://rhn.redhat.com/errata/RHSA-2009-1588.html

Comment 26 Igor Zhang 2009-12-09 06:41:17 UTC
Wrong placement for Comment #25, sorry!~ I should change its state back.

Comment 27 errata-xmlrpc 2009-12-15 17:02:12 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.2 Z Stream

Via RHSA-2009:1672 https://rhn.redhat.com/errata/RHSA-2009-1672.html


Note You need to log in before you can comment on or make changes to this bug.