This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 682641 - (CVE-2011-1090) CVE-2011-1090 kernel: nfs4: Ensure that ACL pages sent over NFS were not allocated from the slab
CVE-2011-1090 kernel: nfs4: Ensure that ACL pages sent over NFS were not allo...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20110305,reported=20110307,sou...
: Security
Depends On: 682642 682643 682644 682645 682646
Blocks:
  Show dependency treegraph
 
Reported: 2011-03-07 00:50 EST by Eugene Teo (Security Response)
Modified: 2015-07-29 13:47 EDT (History)
14 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-07-29 10:07:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Eugene Teo (Security Response) 2011-03-07 00:50:28 EST
"The "bad_page()" page allocator sanity check was reported recently (call chain as follows):

  bad_page+0x69/0x91
  free_hot_cold_page+0x81/0x144
  skb_release_data+0x5f/0x98
  __kfree_skb+0x11/0x1a
  tcp_ack+0x6a3/0x1868
  tcp_rcv_established+0x7a6/0x8b9
  tcp_v4_do_rcv+0x2a/0x2fa
  tcp_v4_rcv+0x9a2/0x9f6
  do_timer+0x2df/0x52c
  ip_local_deliver+0x19d/0x263
  ip_rcv+0x539/0x57c
  netif_receive_skb+0x470/0x49f
  :virtio_net:virtnet_poll+0x46b/0x5c5
  net_rx_action+0xac/0x1b3
  __do_softirq+0x89/0x133
  call_softirq+0x1c/0x28
  do_softirq+0x2c/0x7d
  do_IRQ+0xec/0xf5
  default_idle+0x0/0x50
  ret_from_intr+0x0/0xa
  default_idle+0x29/0x50
  cpu_idle+0x95/0xb8
  start_kernel+0x220/0x225
  _sinittext+0x22f/0x236

It occurs because an skb with a fraglist was freed from the tcp retransmit queue when it was acked, but a page on that fraglist had PG_Slab set (indicating it was allocated from the Slab allocator (which means the free path above can't safely free it via put_page.

We tracked this back to an nfsv4 setacl operation, in which the nfs code attempted to fill convert the passed in buffer to an array of pages in __nfs4_proc_set_acl, which gets used by the skb->frags list in xs_sendpages.  __nfs4_proc_set_acl just converts each page in the buffer to a page struct via virt_to_page, but the vfs allocates the buffer via kmalloc, meaning the PG_slab bit is set.  We can't create a buffer with kmalloc and free it later in the tcp ack path with put_page, so we need to either:

1) ensure that when we create the list of pages, no page struct has PG_Slab set

 or

2) not use a page list to send this data

Given that these buffers can be multiple pages and arbitrarily sized, I think (1) is the right way to go.  I've written the below patch to allocate a page from the buddy allocator directly and copy the data over to it.  This ensures that we have a put_page free-able page for every entry that winds up on an skb frag list, so it can be safely freed when the frame is acked.  We do a put page on each entry after the rpc_call_sync call so as to drop our own reference count to the page, leaving only the ref count taken by tcp_sendpages.  This way the data will be properly freed when the ack comes in

Successfully tested by myself to solve the above oops.

Note, as this is the result of a setacl operation that exceeded a page of data, I think this amounts to a local DOS triggerable by an uprivlidged user, so I'm CCing security on this as well."

Upstream commit:
http://git.kernel.org/linus/e9e3d724e2145f5039b423c290ce2b2c3d8f94bc

Introduced in 4b580ee3 v2.6.13-rc4
Comment 4 errata-xmlrpc 2011-04-12 14:20:18 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0429 https://rhn.redhat.com/errata/RHSA-2011-0429.html
Comment 5 errata-xmlrpc 2011-05-19 07:58:52 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0542 https://rhn.redhat.com/errata/RHSA-2011-0542.html
Comment 7 errata-xmlrpc 2011-06-21 19:53:19 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.0.Z - Server Only

Via RHSA-2011:0883 https://rhn.redhat.com/errata/RHSA-2011-0883.html
Comment 8 Eugene Teo (Security Response) 2011-07-19 01:51:08 EDT
Statement:

This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 4 as it did not backport the upstream commit 4b580ee3 that introduced this issue. This has been addressed in Red Hat Enterprise Linux 5, 6, and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-0429.html, https://rhn.redhat.com/errata/RHSA-2011-0542.html, and https://rhn.redhat.com/errata/RHSA-2011-1253.html.
Comment 9 errata-xmlrpc 2011-09-12 15:44:57 EDT
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2011:1253 https://rhn.redhat.com/errata/RHSA-2011-1253.html

Note You need to log in before you can comment on or make changes to this bug.