Bug 631716 (CVE-2010-3066) - CVE-2010-3066 kernel: io_submit_one() NULL ptr deref
Summary: CVE-2010-3066 kernel: io_submit_one() NULL ptr deref
Status: NEW
Alias: CVE-2010-3066
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,reported=20100902,pub...
Keywords: Reopened, Security
Depends On: 631718 631719 631720 631721
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-09-08 09:17 UTC by Eugene Teo (Security Response)
Modified: 2019-06-08 13:05 UTC (History)
8 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2010-10-14 16:52:51 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0839 normal SHIPPED_LIVE Moderate: kernel security and bug fix update 2010-11-09 18:06:20 UTC

Description Eugene Teo (Security Response) 2010-09-08 09:17:03 UTC
Description of problem:
Missing backport patch:
commit 87e2831c3fa39cbf6f7ab676bb5aef039b9659e2
Author: Yan Zheng <yanzheng@21cn.com>
Date:   Mon Oct 8 12:16:20 2007 -0700

    AIO: fix cleanup in io_submit_one(...)
    
    When IOCB_FLAG_RESFD flag is set and iocb->aio_resfd is incorrect,
    statement 'goto out_put_req' is executed. At label 'out_put_req',
    aio_put_req(..) is called, which requires 'req->ki_filp' set.

Upstream patch:
http://git.kernel.org/linus/87e2831c3fa39cbf6f7ab676bb5aef039b9659e2

Comment 2 Eugene Teo (Security Response) 2010-09-08 09:22:49 UTC
Acknowledgements:

Red Hat would like to thank Tavis Ormandy for reporting this issue.

Comment 4 Jeff Moyer 2010-10-14 16:52:51 UTC
The aio eventfd patches weren't backported to RHEL 4, so this bug doesn't exist on RHEL 4 at all.

Comment 5 Jiri Pirko 2010-10-19 08:45:45 UTC
(In reply to comment #4)
> The aio eventfd patches weren't backported to RHEL 4, so this bug doesn't exist
> on RHEL 4 at all.

That's certainly nice, but still this bug exists for rhel5 and as this bz is the root bug, closing it with NOTABUG is just bogus -> Setting state to ASSIGNED.

Comment 9 errata-xmlrpc 2010-11-09 18:06:33 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0839 https://rhn.redhat.com/errata/RHSA-2010-0839.html

Comment 10 Vincent Danen 2010-11-09 18:44:11 UTC
Statement:

This issue did not affect the version of Linux kernel as shipped with Red Hat
Enterprise Linux 3 and 4 as they did not include support for eventfd in the
Async I/O (AIO) implementation. It did not affect the version of Linux kernel
as shipped with Red Hat Enterprise MRG as it has already had the fix to this
issue.  This issue was addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2010-0839.html


Note You need to log in before you can comment on or make changes to this bug.