Bug 625688 (CVE-2010-4243) - CVE-2010-4243 kernel: mm: mem allocated invisible to oom_kill() when not attached to any threads
Summary: CVE-2010-4243 kernel: mm: mem allocated invisible to oom_kill() when not atta...
Status: CLOSED ERRATA
Alias: CVE-2010-4243
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20100813,repor...
Keywords: Security
Depends On: 625691 625692 625693 625694 625695 627811
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-08-20 07:05 UTC by Eugene Teo (Security Response)
Modified: 2018-02-12 21:34 UTC (History)
18 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-02-01 16:40:39 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0017 normal SHIPPED_LIVE Important: Red Hat Enterprise Linux 5.6 kernel security and bug fix update 2011-01-13 10:37:42 UTC
Red Hat Product Errata RHSA-2011:0283 normal SHIPPED_LIVE Moderate: kernel security, bug fix, and enhancement update 2011-02-22 17:38:22 UTC
Red Hat Product Errata RHSA-2011:1253 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2011-09-12 19:43:48 UTC

Description Eugene Teo (Security Response) 2010-08-20 07:05:24 UTC
Description of problem:
This issue was mentioned in http://grsecurity.net/~spender/64bit_dos.c. Written in the comments: "The second bug here is that the memory usage explodes within the kernel from a single 128k allocation in userland The explosion of memory isn't accounted for by any task so it won't be terminated by the OOM killer."

Acknowledgements:

Red Hat would like to thank Brad Spengler for reporting this issue.

Comment 7 Eugene Teo (Security Response) 2010-09-01 04:37:56 UTC
Two issues here, the BUG_ON condition and the OOM dodging issue.

Roland proposed the solution to the BUG_ON issue with http://lkml.org/lkml/2010/8/30/463 as opposed to Kee's http://www.openwall.com/lists/oss-security/2010/08/27/1.

And Motohiro-san proposed http://lkml.org/lkml/2010/8/29/206 for the OOM dodging issue, but no feedback yet.

re: reproducer, Alexander noted http://lkml.org/lkml/2010/8/30/378.

So I see two possible two CVE assignments.

Comment 8 Eugene Teo (Security Response) 2010-09-01 04:39:24 UTC
Introduced by upstream commit b6a2fea39318e43fee84fa7b0b90d68bed92d2ba.

For my reference, bug 443659 (rhel-5).

Comment 14 Eugene Teo (Security Response) 2010-10-21 03:57:08 UTC
The top-level bug for the BUG_ON issue is bug 645222. This bug will be used to address the OOM dodging issue.

Comment 15 Eugene Teo (Security Response) 2010-10-25 03:50:45 UTC
Update:
http://lkml.org/lkml/2010/10/24/207

Comment 16 Eugene Teo (Security Response) 2010-12-01 02:05:56 UTC
(In reply to comment #15)
> Update:
> http://lkml.org/lkml/2010/10/24/207

http://linux.derkeiler.com/Mailing-Lists/Kernel/2010-11/msg13278.html

Comment 17 Danny Feng 2010-12-01 02:33:18 UTC
(In reply to comment #16)
> (In reply to comment #15)
> > Update:
> > http://lkml.org/lkml/2010/10/24/207
> 
> http://linux.derkeiler.com/Mailing-Lists/Kernel/2010-11/msg13278.html

upstream commit 3c77f845722158206a7209c45ccddc264d19319c

Comment 20 errata-xmlrpc 2011-01-13 21:10:37 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0017 https://rhn.redhat.com/errata/RHSA-2011-0017.html

Comment 21 errata-xmlrpc 2011-01-14 09:02:34 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0017 https://rhn.redhat.com/errata/RHSA-2011-0017.html

Comment 22 errata-xmlrpc 2011-02-22 17:38:30 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0283 https://rhn.redhat.com/errata/RHSA-2011-0283.html

Comment 25 errata-xmlrpc 2011-09-12 19:44:48 UTC
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2011:1253 https://rhn.redhat.com/errata/RHSA-2011-1253.html


Note You need to log in before you can comment on or make changes to this bug.