Bug 595970 - (CVE-2008-7256, CVE-2010-1643) CVE-2008-7256 CVE-2010-1643 kernel: nfsd: fix vm overcommit crash
CVE-2008-7256 CVE-2010-1643 kernel: nfsd: fix vm overcommit crash
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
source=lkml,public=20081030,reported=...
: Security
Depends On: 595972
Blocks:
  Show dependency treegraph
 
Reported: 2010-05-25 22:49 EDT by Eugene Teo (Security Response)
Modified: 2010-12-23 17:51 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-23 17:51:37 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Eugene Teo (Security Response) 2010-05-25 22:49:32 EDT
Description of problem:
knfsd crashes if you are using it to export shmemfs objects and run strict overcommit. In this situation the current->mm based modifier to the overcommit goes through a NULL pointer.
    
We could simply check for NULL and skip the modifier but we've caught other real bugs in the past from mm being NULL here - cases where we did need a valid mm set up (eg the exec bug in 2005).
    
To preserve the checks and get the logic we want shuffle the checking around and add a new helper to the vm_ security wrappers
    
Also fix a current->mm reference in nommu that should use the passed mm

Upstream commit:
nfsd: fix vm overcommit crash
http://git.kernel.org/linus/731572d39fcd3498702eda4600db4c43d51e0b26
nfsd: fix vm overcommit crash fix #2
http://git.kernel.org/linus/1b79cd04fab80be61dcd2732e2423aafde9a4c1c

Reference:
[PATCH] knfsd: add nfs-export support to tmpfs
http://git.kernel.org/linus/91828a405ae454a9503c41a7744f6ff877a80714
Comment 1 Eugene Teo (Security Response) 2010-05-25 22:50:45 EDT
Unable to handle kernel NULL pointer dereference at 0000000000000120 RIP: 
 [<ffffffff8109b05c>] __vm_enough_memory+0xe2/0x123
PGD 2e1c6067 PUD 2e14c067 PMD 0 
Oops: 0000 [1] PREEMPT SMP 
CPU 0 
Modules linked in: nfs nfsd nfs_acl auth_rpcgss exportfs autofs4 hidp rfcomm l2cap bluetooth lockd sunrpc ip6t_REJECT xt_tcpudp ip6table_filter ip6_tables x_tables ipv6 acpiphp dm_mirror dm_multipath scsi_dh dm_mod video output sbs sbshc battery lp sg floppy sr_mod cdrom serio_raw snd_ens1371 gameport snd_rawmidi snd_ac97_codec ac97_bus snd_seq_dummy ac snd_seq_oss parport_pc parport snd_seq_midi_event snd_seq button snd_seq_device snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd soundcore snd_page_alloc e1000 pata_acpi ata_generic shpchp intel_agp pcspkr ata_piix libata mptspi mptscsih mptbase scsi_transport_spi sd_mod scsi_mod ext3 jbd mbcache uhci_hcd ohci_hcd ehci_hcd
Pid: 4836, comm: nfsd Not tainted 2.6.24.7-149.el5rt #1
RIP: 0010:[<ffffffff8109b05c>]  [<ffffffff8109b05c>] __vm_enough_memory+0xe2/0x123
RSP: 0018:ffff81002c61f990  EFLAGS: 00010202
RAX: 000000000001b5eb RBX: 0000000000ab0ffe RCX: 000000000001b5eb
RDX: 0000000000000032 RSI: 0000000000000064 RDI: 0000000000000067
RBP: ffff81002c61f9b0 R08: ffff81002c61c440 R09: 0000000000000000
R10: ffff81002e01cb70 R11: 0000000000003000 R12: 0000000000000001
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
FS:  00007fd46c9bd6e0(0000) GS:ffffffff813f7100(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000120 CR3: 000000002e19b000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process nfsd (pid: 4836, threadinfo ffff81002c61e000, task ffff81002c61c440)
Stack:  ffff81002f5c1ac0 0000000000000001 0000000000000000 0000000000000000
 ffff81002c61f9e0 ffffffff811157d8 0000000000000000 ffff81002f4e8840
 ffff81002f4e8870 ffff81002e01ca10 ffff81002c61f9f0 ffffffff8110eb1b
Call Trace:
 [<ffffffff811157d8>] selinux_vm_enough_memory+0x66/0x6e
 [<ffffffff8110eb1b>] security_vm_enough_memory+0x24/0x26
 [<ffffffff810a7d79>] shmem_getpage+0x3e0/0x744
 [<ffffffff8105ef24>] ? __rt_mutex_adjust_prio+0x11/0x24
 [<ffffffff81113b2c>] ? selinux_inode_getsecurity+0x2c/0x8b
 [<ffffffff8110f560>] ? security_inode_getsecurity+0x1c/0x1e
 [<ffffffff810a63f4>] ? shmem_xattr_security_get+0x19/0x1b
 [<ffffffff810cc527>] ? generic_getxattr+0x4e/0x5c
 [<ffffffff8110e1e0>] ? cap_inode_need_killpriv+0x2d/0x3b
 [<ffffffff81112584>] ? selinux_inode_need_killpriv+0x11/0x13
 [<ffffffff810a8f17>] shmem_file_write+0x124/0x214
 [<ffffffff810a8df3>] ? shmem_file_write+0x0/0x214
 [<ffffffff810b0bd4>] do_loop_readv_writev+0x3c/0x71
 [<ffffffff810b155c>] do_readv_writev+0xec/0x1b4
 [<ffffffff811132a9>] ? inode_has_perm+0x6b/0x7a
 [<ffffffff8128b29e>] ? rt_spin_lock+0x9/0xb
 [<ffffffff810b1665>] vfs_writev+0x41/0x4c
 [<ffffffff8837fc90>] :nfsd:nfsd_vfs_write+0x107/0x31d
 [<ffffffff810af931>] ? dentry_open+0x63/0x6b
 [<ffffffff88380390>] ? :nfsd:nfsd_open+0x167/0x17d
 [<ffffffff883805a7>] :nfsd:nfsd_write+0xbd/0xd9
 [<ffffffff8838789c>] :nfsd:nfsd3_proc_write+0x106/0x126
 [<ffffffff8837c26c>] :nfsd:nfsd_dispatch+0xe9/0x1c6
 [<ffffffff882f6d4f>] :sunrpc:svc_process+0x404/0x6f9
 [<ffffffff81048b79>] ? recalc_sigpending+0x12/0x41
 [<ffffffff8837c85d>] :nfsd:nfsd+0x19f/0x2b6
 [<ffffffff8100d088>] child_rip+0xa/0x12
 [<ffffffff8837c6be>] ? :nfsd:nfsd+0x0/0x2b6
 [<ffffffff8100d07e>] ? child_rip+0x0/0x12


Code: 00 00 00 48 29 c3 48 63 05 42 96 32 00 48 89 d6 31 d2 48 0f af d8 48 89 d8 48 f7 f6 45 85 ed 48 89 c1 75 07 48 c1 e8 05 48 29 c1 <49> 8b 86 20 01 00 00 48 8b 15 36 54 4e 00 48 c1 e8 05 48 29 c2 
RIP  [<ffffffff8109b05c>] __vm_enough_memory+0xe2/0x123
 RSP <ffff81002c61f990>
Comment 2 Eugene Teo (Security Response) 2010-05-25 22:51:22 EDT
Statement:

This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4 and 5 as they did not include nfs-export support for tmpfs. A future kernel update in Red Hat Enterprise MRG will address this issue.
Comment 5 errata-xmlrpc 2010-08-17 11:53:00 EDT
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2010:0631 https://rhn.redhat.com/errata/RHSA-2010-0631.html

Note You need to log in before you can comment on or make changes to this bug.