624604 – Backport official CVE-2010-2240 fixes

Bug 624604 - Backport official CVE-2010-2240 fixes

Summary: Backport official CVE-2010-2240 fixes

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise MRG
Classification:	Red Hat
Component:	realtime-kernel
Sub Component:
Version:	1.2
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Luis Claudio R. Goncalves
QA Contact:	David Sommerseth
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-08-17 08:22 UTC by Eugene Teo (Security Response)
Modified:	2016-05-22 23:30 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	The RHSA-2010:0631 kernel-rt update resolved an issue (CVE-2010-2240) where, when an application has a stack overflow, the stack could silently overwrite another memory mapped area instead of a segmentation fault occurring. This update implements the official upstream fixes for that issue. Note: This is not a security regression. The original fix was complete.
Clone Of:
Environment:
Last Closed:	2010-10-08 02:12:56 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2010:0758	0	normal	SHIPPED_LIVE	Important: kernel-rt security and bug fix update	2010-10-08 02:12:02 UTC

Description Eugene Teo (Security Response) 2010-08-17 08:22:12 UTC

Description of problem:
I filed this bug to make sure we revert the unofficial heap-stack patch and backport the upstream CVE-2010-2240 fixes. This is not a regression.

See https://bugzilla.redhat.com/show_bug.cgi?id=606611#c31

Comment 2 Eugene Teo (Security Response) 2010-09-06 08:25:44 UTC

- mm: make stack guard page logic use vm_prev pointer
  0e8e50e20c837eeec8323bba7dcd25fe5479194c
- mm: make the mlock() stack guard page checks stricter
  7798330ac8114c731cfab83e634c6ecedaa233d7
- guard page for stacks that grow upwards
  8ca3eb08097f6839b2206e2242db4179aee3cfb3
- mm: fix up some user-visible effects of the stack guard page
  d7824370e26325c881b665350ce64fb0a4fde24a
- mm: fix page table unmap for stack guard page properly
  11ac552477e32835cb6970bf0a70c210807f5673
- mm: fix missing page table unmap for stack guard page failure case
  5528f9132cf65d4d892bcbc5684c61e7822b21e9
- mm: keep a guard page below a grow-down stack segment
  320b2b8de12698082609ebbc1a17165727f4c893
- x86: don't send SIGBUS for kernel page faults
  96054569190bdec375fe824e48ca1f4e3b53dd36

Comment 6 David Sommerseth 2010-09-30 17:25:25 UTC

Reviewed by code review.  The following 8 patches was found applied to kernel-rt-2.6.24.7-166.src.rpm

bz607853-CVE-2010-2240-000-mm-pass-correct-mm-when-growing-stack.patch
bz607853-CVE-2010-2240-001-mm-keep-a-guard-page-below-a-grow-down-stack-segment.patch
bz607853-CVE-2010-2240-002-mm-fix-missing-page-table-unmap-for-stack-guard-page-failure-case.patch
bz607853-CVE-2010-2240-003-mm-fix-page-table-unmap-for-stack-guard-page-properly.patch
bz607853-CVE-2010-2240-004-mm-fix-user-visible-effects-of-the-stack-guard-page.patch
bz607853-CVE-2010-2240-005-mm-make-the-vma-list-be-doubly-linked.patch
bz607853-CVE-2010-2240-006-mm-make-the-mlock-stack-guard-page-checks-stricter.patch
bz607853-CVE-2010-2240-007-mm-make-stack-guard-page-logic-use-vm_prev-pointer.patch

Verified that we have no regressions against 2.6.24.7-161 by running the reproducers available.

Comment 8 errata-xmlrpc 2010-10-08 02:12:56 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2010-0758.html

Comment 9 Florian Nadge 2010-10-18 16:41:11 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
The RHSA-2010:0631 kernel-rt update resolved an issue (CVE-2010-2240) where, when an application has a stack overflow, the stack could silently overwrite another memory mapped area instead of a segmentation fault occurring. This update implements the official upstream fixes for that issue. Note: This is not a security regression. The original fix was complete.

Note You need to log in before you can comment on or make changes to this bug.