Bug 653648 - (CVE-2011-0695) CVE-2011-0695 kernel: panic in ib_cm:cm_work_handler
CVE-2011-0695 kernel: panic in ib_cm:cm_work_handler
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
Unspecified Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
Infiniband QE
public=20101115,reported=20110209,sou...
: Security
Depends On: 676190 676191 676192 679995 679996
Blocks:
  Show dependency treegraph
 
Reported: 2010-11-15 16:02 EST by Guy Streeter
Modified: 2016-02-09 20:33 EST (History)
13 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-05-04 02:08:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Guy Streeter 2010-11-15 16:02:33 EST
Customer has a repeatable panic in infinband code. In cm_work_handler (the one in cm.c, not iwcm.c) the cm_work structure is retrieved from the work_struct, and the attempt to dereference its mad_recv_wc pointer causes the crash, because the pointer has been incremented by one.

vmcores are on megatron.gsslab.rdu.redhat.com
in
/cores/20101108125468/work
and
/cores/20101108125467/work

Acknowledgements:

Red Hat would like to thank Jens Kuehnel for reporting this issue.
Comment 1 Guy Streeter 2010-11-15 17:37:45 EST
They tried the 1.3 kernel and got this backtrace:

6-NOV-2010 01:03:54.36|ott0140.xeop.de login: BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
 6-NOV-2010 01:03:54.36|IP: [<ffffffff810c54f0>] put_compound_page+0x11/0x24
 6-NOV-2010 01:03:54.36|PGD 620d8b067 PUD 4da801067 PMD 0
 6-NOV-2010 01:03:54.36|Oops: 0002 [#1] PREEMPT SMP
 6-NOV-2010 01:03:54.36|last sysfs file: /sys/class/infiniband/mlx4_0/node_guid
 6-NOV-2010 01:03:54.36|CPU 1
 6-NOV-2010 01:03:54.36|Pid: 28628, comm: OFI Not tainted 2.6.33.7-rt29.45.el5rt #1 /ProLiant BL460c G1
 6-NOV-2010 01:03:54.36|RIP: 0010:[<ffffffff810c54f0>]  [<ffffffff810c54f0>] put_compound_page+0x11/0x24
 6-NOV-2010 01:03:54.36|RSP: 0018:ffff880561a8fd28  EFLAGS: 00010286
 6-NOV-2010 01:03:54.41|RAX: 0000000000000000 RBX: ffff880711f84800 RCX: 0000000000000000
 6-NOV-2010 01:03:54.41|RDX: 0000000000000000 RSI: 11a0dbc0ffffea00 RDI: 0000000000000000
 6-NOV-2010 01:03:54.41|RBP: ffff880561a8fd28 R08: ffff880561a8fd38 R09: ffffffff813552af
 6-NOV-2010 01:03:54.41|R10: ffff880730581c00 R11: dead000000200200 R12: ffff880711f84918
 6-NOV-2010 01:03:54.41|R13: ffffea0011a0db5c R14: 0000000000000008 R15: ffff8807306dc6e0
 6-NOV-2010 01:03:54.41|FS:  00000000421bb940(0063) GS:ffff880028240000(0000) knlGS:0000000000000000
 6-NOV-2010 01:03:54.56|CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 6-NOV-2010 01:03:54.56|CR2: 0000000000000008 CR3: 0000000561874000 CR4: 00000000000406e0
 6-NOV-2010 01:03:54.56|DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 6-NOV-2010 01:03:54.56|DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
 6-NOV-2010 01:03:54.56|Process OFI (pid: 28628, threadinfo ffff880561a8e000, task ffff88059d8ca600)
 6-NOV-2010 01:03:54.56|Stack:
 6-NOV-2010 01:03:54.56| ffff880561a8fd58 ffffffff810c5e4e ffff880711f84818 ffff880711f84800
 6-NOV-2010 01:03:54.56|<0> ffff880711f84918 ffffea0011a0db5c ffff880561a8fda8 ffffffffa02789fa
 6-NOV-2010 01:03:54.61|<0> 000000012699c4c8 ffff8807306dc6c0 ffff88082a202800 ffff8807306dc6c0
 6-NOV-2010 01:03:54.61|Call Trace:
 6-NOV-2010 01:03:54.61| [<ffffffff810c5e4e>] put_page+0x21/0x7a
 6-NOV-2010 01:03:54.61| [<ffffffffa02789fa>] __ib_umem_release+0xb2/0xe6 [ib_core]
 6-NOV-2010 01:03:54.61| [<ffffffffa0278fe2>] ib_umem_release+0x26/0xd8 [ib_core]
 6-NOV-2010 01:03:54.61| [<ffffffffa028a0a5>] mlx4_ib_destroy_qp+0x254/0x2eb [mlx4_ib]
 6-NOV-2010 01:03:54.61| [<ffffffffa0274c46>] ib_destroy_qp+0x29/0x4f [ib_core]
 6-NOV-2010 01:03:54.61| [<ffffffffa03a311d>] ib_uverbs_destroy_qp+0x94/0x161 [ib_uverbs]
 6-NOV-2010 01:03:54.61| [<ffffffffa039fa17>] ib_uverbs_write+0xa6/0xc0 [ib_uverbs]
 6-NOV-2010 01:03:54.61| [<ffffffff810f528b>] ? rw_verify_area+0x8d/0xb1
 6-NOV-2010 01:03:54.66| [<ffffffff810f56cc>] vfs_write+0xb0/0x10a
 6-NOV-2010 01:03:54.66| [<ffffffff810f57ea>] sys_write+0x4c/0x72
 6-NOV-2010 01:03:54.66| [<ffffffff81002d1b>] system_call_fastpath+0x16/0x1b
 6-NOV-2010 01:03:54.66|Code: c9 c3 55 48 89 e5 0f 1f 44 00 00 66 83 3f 00 79 04 48 8b 7f 10 c9 48 89 f8 c3 55 48 89 e5 0f 1f 44 00 00 e8 da
 ff ff ff 48 89 c2 <f0> ff 48 08 0f 94 c0 84 c0 74 06 48 89 d7 ff 52 60 c9 c3 55 48
 6-NOV-2010 01:03:54.66|RIP  [<ffffffff810c54f0>] put_compound_page+0x11/0x24
 6-NOV-2010 01:03:54.71| RSP <ffff880561a8fd28>
 6-NOV-2010 01:03:54.71|CR2: 0000000000000008
Comment 18 Eugene Teo (Security Response) 2011-02-23 21:51:00 EST
Proposed patches:
[PATCH 1/2] rdma/cm: Fix crash in request handlers
http://www.spinics.net/lists/linux-rdma/msg07447.html
[PATCH 2/2] ib/cm: Bump reference count on cm_id before invoking callback
http://www.spinics.net/lists/linux-rdma/msg07448.html
Comment 26 Eugene Teo (Security Response) 2011-03-11 01:03:00 EST
Statement:

This has been addressed in Red Hat Enterprise Linux 5, 6, and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-0927.html, https://rhn.redhat.com/errata/RHSA-2011-0421.html, and https://rhn.redhat.com/errata/RHSA-2011-0500.html. Red Hat Enterprise Linux 4 is now in Production 3 of the maintenance life-cycle, https://access.redhat.com/support/policy/updates/errata/, therefore the fix for this issue is not currently planned to be included in the future updates.
Comment 31 errata-xmlrpc 2011-04-07 22:57:03 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0421 https://rhn.redhat.com/errata/RHSA-2011-0421.html
Comment 32 John Kacur 2011-04-12 08:30:04 EDT
Upstream commits:

25ae21a10112875763c18b385624df713a288a05
29963437a48475036353b95ab142bf199adb909e
Comment 33 errata-xmlrpc 2011-05-10 13:18:29 EDT
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2011:0500 https://rhn.redhat.com/errata/RHSA-2011-0500.html
Comment 34 errata-xmlrpc 2011-07-15 02:08:04 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0927 https://rhn.redhat.com/errata/RHSA-2011-0927.html

Note You need to log in before you can comment on or make changes to this bug.