Bug 633170 (CVE-2010-3086) - CVE-2010-3086 kernel panic via futex
Summary: CVE-2010-3086 kernel panic via futex
Alias: CVE-2010-3086
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
: 633940 (view as bug list)
Depends On: 633175 633176
TreeView+ depends on / blocked
Reported: 2010-09-13 05:01 UTC by Eugene Teo (Security Response)
Modified: 2023-05-11 16:30 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2021-10-19 09:14:54 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0839 0 normal SHIPPED_LIVE Moderate: kernel security and bug fix update 2010-11-09 18:06:20 UTC

Description Eugene Teo (Security Response) 2010-09-13 05:01:16 UTC
Description of problem:
BUG: unable to handle kernel paging request at virtual address 0028a000
 printing eip:
*pde = 2902e067
Oops: 0002 [#1]
last sysfs file: /devices/pci0000:00/0000:00:00.0/resource
Modules linked in: autofs4 hidp rfcomm l2cap bluetooth lockd sunrpc ip_conntrack_netbios_ns ipt_REJECT xt_state ip_conntrack nfnetlink iptable_filter ip_tables ip6t_REJECT xt_tcpudp ip6table_filter ip6_tables x_tables ipv6 xfrm_nalgo crypto_api vmblock(U) vsock(U) vmmemctl(U) vmhgfs(U) acpiphp dm_mirror dm_multipath scsi_dh video backlight sbs power_meter hwmon i2c_ec dell_wmi wmi button battery asus_acpi ac lp floppy sg pcspkr snd_ens1371 gameport snd_rawmidi snd_ac97_codec ac97_bus snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq snd_seq_device snd_pcm_oss i2c_piix4 i2c_core vmci(U) snd_mixer_oss snd_pcm snd_timer snd soundcore snd_page_alloc mii parport_pc ide_cd parport cdrom serio_raw pvscsi(U) vmxnet3(U) vmxnet(U) dm_raid45 dm_message dm_region_hash dm_log dm_mod dm_mem_cache ata_piix libata mptspi mptscsih mptbase scsi_transport_spi sd_mod scsi_mod ext3 jbd uhci_hcd ohci_hcd ehci_hcd
CPU:    0
EIP:    0060:[<c0439751>]    Tainted: G      VLI
EFLAGS: 00210246   (2.6.18-194.11.3.el5 #1)
EIP is at futex_lock_pi+0x1ad/0x822
eax: 00000000   ebx: c07bdb10   ecx: 0000128d   edx: 00000000
esi: fffffff2   edi: 00000000   ebp: 0028a000   esp: dea9ce08
ds: 007b   es: 007b   ss: 0068
Process iknowthis (pid: 4749, ti=dea9c000 task=e9620550 task.ti=dea9c000)
Stack: d08a2d59 13f631b6 00000000 00000000 00000000 dea9ce78 e9620550 00000000
      00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      00000000 00000001 dea9ce50 dea9ce50 c07bdb10 0028a000 e96bf900 00000000
Call Trace:
 [<c0438448>] hrtimer_wakeup+0x0/0x18
 [<c043a953>] do_futex+0xb8d/0xbf6
 [<c044bece>] audit_syscall_entry+0x15a/0x18c
 [<c043aacd>] sys_futex+0x111/0x127
 [<c0404f17>] syscall_call+0x7/0xb
Code: 89 e0 89 ee 25 00 f0 ff ff 8b 10 8b 8a a8 00 00 00 83 c6 04 19 d2 39 70 18 83 da 00 ff 40 14 85 d2 be f2 ff ff ff 75 09 89 d0 90 <0f> b1 4d 00 89 c6 89 e0 25 00 f0 ff ff ff 48 14 83 fe f2 0f 84
EIP: [<c0439751>] futex_lock_pi+0x1ad/0x822 SS:ESP 0068:dea9ce08
 <0>Kernel panic - not syncing: Fatal exception


Red Hat would like to thank Tavis Ormandy for reporting this issue.

Comment 5 Eugene Teo (Security Response) 2010-10-11 01:35:48 UTC
Upstream commit:
x86: replace LOCK_PREFIX in futex.h

Comment 7 Eugene Teo (Security Response) 2010-11-02 05:30:37 UTC

This issue did not affect the version of Linux kernel as shipped with Red Hat
Enterprise Linux 3 and 4 as they did not support for the FUTEX_LOCK_PI futex operation. It did not affect the version of Linux kernel as shipped with Red Hat Enterprise MRG as it has already had the fix to this issue. This issue was addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2010-0839.html

Comment 8 errata-xmlrpc 2010-11-09 18:06:26 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0839 https://rhn.redhat.com/errata/RHSA-2010-0839.html

Comment 9 Jes Sorensen 2013-02-27 09:46:02 UTC
*** Bug 633940 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.