Bug 653648 (CVE-2011-0695) - CVE-2011-0695 kernel: panic in ib_cm:cm_work_handler
Summary: CVE-2011-0695 kernel: panic in ib_cm:cm_work_handler
Alias: CVE-2011-0695
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: Unspecified
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact: Infiniband QE
Depends On: 676190 676191 676192 679995 679996
TreeView+ depends on / blocked
Reported: 2010-11-15 21:02 UTC by Guy Streeter
Modified: 2021-02-24 17:02 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-05-04 06:08:55 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0421 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2011-04-08 02:56:45 UTC
Red Hat Product Errata RHSA-2011:0500 0 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2011-05-10 17:18:23 UTC
Red Hat Product Errata RHSA-2011:0927 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2011-07-15 06:07:56 UTC

Description Guy Streeter 2010-11-15 21:02:33 UTC
Customer has a repeatable panic in infinband code. In cm_work_handler (the one in cm.c, not iwcm.c) the cm_work structure is retrieved from the work_struct, and the attempt to dereference its mad_recv_wc pointer causes the crash, because the pointer has been incremented by one.

vmcores are on megatron.gsslab.rdu.redhat.com


Red Hat would like to thank Jens Kuehnel for reporting this issue.

Comment 1 Guy Streeter 2010-11-15 22:37:45 UTC
They tried the 1.3 kernel and got this backtrace:

6-NOV-2010 01:03:54.36|ott0140.xeop.de login: BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
 6-NOV-2010 01:03:54.36|IP: [<ffffffff810c54f0>] put_compound_page+0x11/0x24
 6-NOV-2010 01:03:54.36|PGD 620d8b067 PUD 4da801067 PMD 0
 6-NOV-2010 01:03:54.36|Oops: 0002 [#1] PREEMPT SMP
 6-NOV-2010 01:03:54.36|last sysfs file: /sys/class/infiniband/mlx4_0/node_guid
 6-NOV-2010 01:03:54.36|CPU 1
 6-NOV-2010 01:03:54.36|Pid: 28628, comm: OFI Not tainted #1 /ProLiant BL460c G1
 6-NOV-2010 01:03:54.36|RIP: 0010:[<ffffffff810c54f0>]  [<ffffffff810c54f0>] put_compound_page+0x11/0x24
 6-NOV-2010 01:03:54.36|RSP: 0018:ffff880561a8fd28  EFLAGS: 00010286
 6-NOV-2010 01:03:54.41|RAX: 0000000000000000 RBX: ffff880711f84800 RCX: 0000000000000000
 6-NOV-2010 01:03:54.41|RDX: 0000000000000000 RSI: 11a0dbc0ffffea00 RDI: 0000000000000000
 6-NOV-2010 01:03:54.41|RBP: ffff880561a8fd28 R08: ffff880561a8fd38 R09: ffffffff813552af
 6-NOV-2010 01:03:54.41|R10: ffff880730581c00 R11: dead000000200200 R12: ffff880711f84918
 6-NOV-2010 01:03:54.41|R13: ffffea0011a0db5c R14: 0000000000000008 R15: ffff8807306dc6e0
 6-NOV-2010 01:03:54.41|FS:  00000000421bb940(0063) GS:ffff880028240000(0000) knlGS:0000000000000000
 6-NOV-2010 01:03:54.56|CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 6-NOV-2010 01:03:54.56|CR2: 0000000000000008 CR3: 0000000561874000 CR4: 00000000000406e0
 6-NOV-2010 01:03:54.56|DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 6-NOV-2010 01:03:54.56|DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
 6-NOV-2010 01:03:54.56|Process OFI (pid: 28628, threadinfo ffff880561a8e000, task ffff88059d8ca600)
 6-NOV-2010 01:03:54.56|Stack:
 6-NOV-2010 01:03:54.56| ffff880561a8fd58 ffffffff810c5e4e ffff880711f84818 ffff880711f84800
 6-NOV-2010 01:03:54.56|<0> ffff880711f84918 ffffea0011a0db5c ffff880561a8fda8 ffffffffa02789fa
 6-NOV-2010 01:03:54.61|<0> 000000012699c4c8 ffff8807306dc6c0 ffff88082a202800 ffff8807306dc6c0
 6-NOV-2010 01:03:54.61|Call Trace:
 6-NOV-2010 01:03:54.61| [<ffffffff810c5e4e>] put_page+0x21/0x7a
 6-NOV-2010 01:03:54.61| [<ffffffffa02789fa>] __ib_umem_release+0xb2/0xe6 [ib_core]
 6-NOV-2010 01:03:54.61| [<ffffffffa0278fe2>] ib_umem_release+0x26/0xd8 [ib_core]
 6-NOV-2010 01:03:54.61| [<ffffffffa028a0a5>] mlx4_ib_destroy_qp+0x254/0x2eb [mlx4_ib]
 6-NOV-2010 01:03:54.61| [<ffffffffa0274c46>] ib_destroy_qp+0x29/0x4f [ib_core]
 6-NOV-2010 01:03:54.61| [<ffffffffa03a311d>] ib_uverbs_destroy_qp+0x94/0x161 [ib_uverbs]
 6-NOV-2010 01:03:54.61| [<ffffffffa039fa17>] ib_uverbs_write+0xa6/0xc0 [ib_uverbs]
 6-NOV-2010 01:03:54.61| [<ffffffff810f528b>] ? rw_verify_area+0x8d/0xb1
 6-NOV-2010 01:03:54.66| [<ffffffff810f56cc>] vfs_write+0xb0/0x10a
 6-NOV-2010 01:03:54.66| [<ffffffff810f57ea>] sys_write+0x4c/0x72
 6-NOV-2010 01:03:54.66| [<ffffffff81002d1b>] system_call_fastpath+0x16/0x1b
 6-NOV-2010 01:03:54.66|Code: c9 c3 55 48 89 e5 0f 1f 44 00 00 66 83 3f 00 79 04 48 8b 7f 10 c9 48 89 f8 c3 55 48 89 e5 0f 1f 44 00 00 e8 da
 ff ff ff 48 89 c2 <f0> ff 48 08 0f 94 c0 84 c0 74 06 48 89 d7 ff 52 60 c9 c3 55 48
 6-NOV-2010 01:03:54.66|RIP  [<ffffffff810c54f0>] put_compound_page+0x11/0x24
 6-NOV-2010 01:03:54.71| RSP <ffff880561a8fd28>
 6-NOV-2010 01:03:54.71|CR2: 0000000000000008

Comment 18 Eugene Teo (Security Response) 2011-02-24 02:51:00 UTC
Proposed patches:
[PATCH 1/2] rdma/cm: Fix crash in request handlers
[PATCH 2/2] ib/cm: Bump reference count on cm_id before invoking callback

Comment 26 Eugene Teo (Security Response) 2011-03-11 06:03:00 UTC

This has been addressed in Red Hat Enterprise Linux 5, 6, and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-0927.html, https://rhn.redhat.com/errata/RHSA-2011-0421.html, and https://rhn.redhat.com/errata/RHSA-2011-0500.html. Red Hat Enterprise Linux 4 is now in Production 3 of the maintenance life-cycle, https://access.redhat.com/support/policy/updates/errata/, therefore the fix for this issue is not currently planned to be included in the future updates.

Comment 31 errata-xmlrpc 2011-04-08 02:57:03 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0421 https://rhn.redhat.com/errata/RHSA-2011-0421.html

Comment 32 John Kacur 2011-04-12 12:30:04 UTC
Upstream commits:


Comment 33 errata-xmlrpc 2011-05-10 17:18:29 UTC
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2011:0500 https://rhn.redhat.com/errata/RHSA-2011-0500.html

Comment 34 errata-xmlrpc 2011-07-15 06:08:04 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0927 https://rhn.redhat.com/errata/RHSA-2011-0927.html

Note You need to log in before you can comment on or make changes to this bug.