Bug 595970 (CVE-2008-7256, CVE-2010-1643) - CVE-2008-7256 CVE-2010-1643 kernel: nfsd: fix vm overcommit crash
Summary: CVE-2008-7256 CVE-2010-1643 kernel: nfsd: fix vm overcommit crash
Alias: CVE-2008-7256, CVE-2010-1643
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 595972
TreeView+ depends on / blocked
Reported: 2010-05-26 02:49 UTC by Eugene Teo (Security Response)
Modified: 2021-02-24 23:08 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-12-23 22:51:37 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0631 0 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2010-08-18 07:58:39 UTC

Description Eugene Teo (Security Response) 2010-05-26 02:49:32 UTC
Description of problem:
knfsd crashes if you are using it to export shmemfs objects and run strict overcommit. In this situation the current->mm based modifier to the overcommit goes through a NULL pointer.
We could simply check for NULL and skip the modifier but we've caught other real bugs in the past from mm being NULL here - cases where we did need a valid mm set up (eg the exec bug in 2005).
To preserve the checks and get the logic we want shuffle the checking around and add a new helper to the vm_ security wrappers
Also fix a current->mm reference in nommu that should use the passed mm

Upstream commit:
nfsd: fix vm overcommit crash
nfsd: fix vm overcommit crash fix #2

[PATCH] knfsd: add nfs-export support to tmpfs

Comment 1 Eugene Teo (Security Response) 2010-05-26 02:50:45 UTC
Unable to handle kernel NULL pointer dereference at 0000000000000120 RIP: 
 [<ffffffff8109b05c>] __vm_enough_memory+0xe2/0x123
PGD 2e1c6067 PUD 2e14c067 PMD 0 
Oops: 0000 [1] PREEMPT SMP 
CPU 0 
Modules linked in: nfs nfsd nfs_acl auth_rpcgss exportfs autofs4 hidp rfcomm l2cap bluetooth lockd sunrpc ip6t_REJECT xt_tcpudp ip6table_filter ip6_tables x_tables ipv6 acpiphp dm_mirror dm_multipath scsi_dh dm_mod video output sbs sbshc battery lp sg floppy sr_mod cdrom serio_raw snd_ens1371 gameport snd_rawmidi snd_ac97_codec ac97_bus snd_seq_dummy ac snd_seq_oss parport_pc parport snd_seq_midi_event snd_seq button snd_seq_device snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd soundcore snd_page_alloc e1000 pata_acpi ata_generic shpchp intel_agp pcspkr ata_piix libata mptspi mptscsih mptbase scsi_transport_spi sd_mod scsi_mod ext3 jbd mbcache uhci_hcd ohci_hcd ehci_hcd
Pid: 4836, comm: nfsd Not tainted #1
RIP: 0010:[<ffffffff8109b05c>]  [<ffffffff8109b05c>] __vm_enough_memory+0xe2/0x123
RSP: 0018:ffff81002c61f990  EFLAGS: 00010202
RAX: 000000000001b5eb RBX: 0000000000ab0ffe RCX: 000000000001b5eb
RDX: 0000000000000032 RSI: 0000000000000064 RDI: 0000000000000067
RBP: ffff81002c61f9b0 R08: ffff81002c61c440 R09: 0000000000000000
R10: ffff81002e01cb70 R11: 0000000000003000 R12: 0000000000000001
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
FS:  00007fd46c9bd6e0(0000) GS:ffffffff813f7100(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000120 CR3: 000000002e19b000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process nfsd (pid: 4836, threadinfo ffff81002c61e000, task ffff81002c61c440)
Stack:  ffff81002f5c1ac0 0000000000000001 0000000000000000 0000000000000000
 ffff81002c61f9e0 ffffffff811157d8 0000000000000000 ffff81002f4e8840
 ffff81002f4e8870 ffff81002e01ca10 ffff81002c61f9f0 ffffffff8110eb1b
Call Trace:
 [<ffffffff811157d8>] selinux_vm_enough_memory+0x66/0x6e
 [<ffffffff8110eb1b>] security_vm_enough_memory+0x24/0x26
 [<ffffffff810a7d79>] shmem_getpage+0x3e0/0x744
 [<ffffffff8105ef24>] ? __rt_mutex_adjust_prio+0x11/0x24
 [<ffffffff81113b2c>] ? selinux_inode_getsecurity+0x2c/0x8b
 [<ffffffff8110f560>] ? security_inode_getsecurity+0x1c/0x1e
 [<ffffffff810a63f4>] ? shmem_xattr_security_get+0x19/0x1b
 [<ffffffff810cc527>] ? generic_getxattr+0x4e/0x5c
 [<ffffffff8110e1e0>] ? cap_inode_need_killpriv+0x2d/0x3b
 [<ffffffff81112584>] ? selinux_inode_need_killpriv+0x11/0x13
 [<ffffffff810a8f17>] shmem_file_write+0x124/0x214
 [<ffffffff810a8df3>] ? shmem_file_write+0x0/0x214
 [<ffffffff810b0bd4>] do_loop_readv_writev+0x3c/0x71
 [<ffffffff810b155c>] do_readv_writev+0xec/0x1b4
 [<ffffffff811132a9>] ? inode_has_perm+0x6b/0x7a
 [<ffffffff8128b29e>] ? rt_spin_lock+0x9/0xb
 [<ffffffff810b1665>] vfs_writev+0x41/0x4c
 [<ffffffff8837fc90>] :nfsd:nfsd_vfs_write+0x107/0x31d
 [<ffffffff810af931>] ? dentry_open+0x63/0x6b
 [<ffffffff88380390>] ? :nfsd:nfsd_open+0x167/0x17d
 [<ffffffff883805a7>] :nfsd:nfsd_write+0xbd/0xd9
 [<ffffffff8838789c>] :nfsd:nfsd3_proc_write+0x106/0x126
 [<ffffffff8837c26c>] :nfsd:nfsd_dispatch+0xe9/0x1c6
 [<ffffffff882f6d4f>] :sunrpc:svc_process+0x404/0x6f9
 [<ffffffff81048b79>] ? recalc_sigpending+0x12/0x41
 [<ffffffff8837c85d>] :nfsd:nfsd+0x19f/0x2b6
 [<ffffffff8100d088>] child_rip+0xa/0x12
 [<ffffffff8837c6be>] ? :nfsd:nfsd+0x0/0x2b6
 [<ffffffff8100d07e>] ? child_rip+0x0/0x12

Code: 00 00 00 48 29 c3 48 63 05 42 96 32 00 48 89 d6 31 d2 48 0f af d8 48 89 d8 48 f7 f6 45 85 ed 48 89 c1 75 07 48 c1 e8 05 48 29 c1 <49> 8b 86 20 01 00 00 48 8b 15 36 54 4e 00 48 c1 e8 05 48 29 c2 
RIP  [<ffffffff8109b05c>] __vm_enough_memory+0xe2/0x123
 RSP <ffff81002c61f990>

Comment 2 Eugene Teo (Security Response) 2010-05-26 02:51:22 UTC

This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4 and 5 as they did not include nfs-export support for tmpfs. A future kernel update in Red Hat Enterprise MRG will address this issue.

Comment 5 errata-xmlrpc 2010-08-17 15:53:00 UTC
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2010:0631 https://rhn.redhat.com/errata/RHSA-2010-0631.html

Note You need to log in before you can comment on or make changes to this bug.