Bug 625688 - (CVE-2010-4243) CVE-2010-4243 kernel: mm: mem allocated invisible to oom_kill() when not attached to any threads
CVE-2010-4243 kernel: mm: mem allocated invisible to oom_kill() when not atta...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20100813,repor...
: Security
Depends On: 625691 625692 625693 625694 625695 627811
Blocks:
  Show dependency treegraph
 
Reported: 2010-08-20 03:05 EDT by Eugene Teo (Security Response)
Modified: 2015-08-31 23:55 EDT (History)
17 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Eugene Teo (Security Response) 2010-08-20 03:05:24 EDT
Description of problem:
This issue was mentioned in http://grsecurity.net/~spender/64bit_dos.c. Written in the comments: "The second bug here is that the memory usage explodes within the kernel from a single 128k allocation in userland The explosion of memory isn't accounted for by any task so it won't be terminated by the OOM killer."

Acknowledgements:

Red Hat would like to thank Brad Spengler for reporting this issue.
Comment 7 Eugene Teo (Security Response) 2010-09-01 00:37:56 EDT
Two issues here, the BUG_ON condition and the OOM dodging issue.

Roland proposed the solution to the BUG_ON issue with http://lkml.org/lkml/2010/8/30/463 as opposed to Kee's http://www.openwall.com/lists/oss-security/2010/08/27/1.

And Motohiro-san proposed http://lkml.org/lkml/2010/8/29/206 for the OOM dodging issue, but no feedback yet.

re: reproducer, Alexander noted http://lkml.org/lkml/2010/8/30/378.

So I see two possible two CVE assignments.
Comment 8 Eugene Teo (Security Response) 2010-09-01 00:39:24 EDT
Introduced by upstream commit b6a2fea39318e43fee84fa7b0b90d68bed92d2ba.

For my reference, bug 443659 (rhel-5).
Comment 14 Eugene Teo (Security Response) 2010-10-20 23:57:08 EDT
The top-level bug for the BUG_ON issue is bug 645222. This bug will be used to address the OOM dodging issue.
Comment 15 Eugene Teo (Security Response) 2010-10-24 23:50:45 EDT
Update:
http://lkml.org/lkml/2010/10/24/207
Comment 16 Eugene Teo (Security Response) 2010-11-30 21:05:56 EST
(In reply to comment #15)
> Update:
> http://lkml.org/lkml/2010/10/24/207

http://linux.derkeiler.com/Mailing-Lists/Kernel/2010-11/msg13278.html
Comment 17 Danny Feng 2010-11-30 21:33:18 EST
(In reply to comment #16)
> (In reply to comment #15)
> > Update:
> > http://lkml.org/lkml/2010/10/24/207
> 
> http://linux.derkeiler.com/Mailing-Lists/Kernel/2010-11/msg13278.html

upstream commit 3c77f845722158206a7209c45ccddc264d19319c
Comment 20 errata-xmlrpc 2011-01-13 16:10:37 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0017 https://rhn.redhat.com/errata/RHSA-2011-0017.html
Comment 21 errata-xmlrpc 2011-01-14 04:02:34 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0017 https://rhn.redhat.com/errata/RHSA-2011-0017.html
Comment 22 errata-xmlrpc 2011-02-22 12:38:30 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0283 https://rhn.redhat.com/errata/RHSA-2011-0283.html
Comment 25 errata-xmlrpc 2011-09-12 15:44:48 EDT
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2011:1253 https://rhn.redhat.com/errata/RHSA-2011-1253.html

Note You need to log in before you can comment on or make changes to this bug.