678209 – (CVE-2011-0999) CVE-2011-0999 kernel: thp: prevent hugepages during args/env copying into the user stack

Bug 678209 (CVE-2011-0999) - CVE-2011-0999 kernel: thp: prevent hugepages during args/env copying into the user stack

Summary: CVE-2011-0999 kernel: thp: prevent hugepages during args/env copying into the...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2011-0999
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	674147 Engineering678212 Engineering678213
Blocks:
TreeView+	depends on / blocked

Reported:	2011-02-17 06:44 UTC by Eugene Teo (Security Response)
Modified:	2021-02-24 16:30 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-07-29 13:53:25 UTC

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:0542	0	normal	SHIPPED_LIVE	Important: Red Hat Enterprise Linux 6.1 kernel security, bug fix and enhancement update	2011-05-19 11:58:07 UTC
Red Hat Product Errata	RHSA-2011:0883	0	normal	SHIPPED_LIVE	Important: kernel security and bug fix update	2011-06-21 23:52:55 UTC

Description Eugene Teo (Security Response) 2011-02-17 06:44:34 UTC

Transparent hugepages can only be created if rmap is fully functional. A specially crafted binary could allow the user stack to grow huge and backed by hugepages without this patch while is_vma_temporary_stack() is true.

This also optmizes away some harmless but unnecessary setting of khugepaged_scan.address and it switches some BUG_ON to VM_BUG_ON.

Comment 2 Eugene Teo (Security Response) 2011-02-17 06:48:31 UTC

Upstream commit:
http://git.kernel.org/linus/a7d6e4ecdb7648478ddec76d30d87d03d6e22b31

Comment 5 errata-xmlrpc 2011-05-19 11:58:39 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0542 https://rhn.redhat.com/errata/RHSA-2011-0542.html

Comment 7 errata-xmlrpc 2011-06-21 23:53:09 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.0.Z - Server Only

Via RHSA-2011:0883 https://rhn.redhat.com/errata/RHSA-2011-0883.html

Comment 8 Eugene Teo (Security Response) 2011-06-29 01:41:14 UTC

Statement:

This issue only affects Red Hat Enterprise Linux 6. The version of Linux kernel as shipped with Red Hat Enterprise Linux 4, 5, and Red Hat Enterprise MRG as they did not include upstream commit 71e3aac0 that introduced the problem. We have addressed this in Red Hat Enterprise Linux 6 via https://rhn.redhat.com/errata/RHSA-2011-0542.html.

Note You need to log in before you can comment on or make changes to this bug.