Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 703016 - (CVE-2011-1771) CVE-2011-1771 kernel: cifs oops when creating file with O_DIRECT set
CVE-2011-1771 kernel: cifs oops when creating file with O_DIRECT set
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20110405,reported=20110506,sou...
: Security
Depends On: 702642 703017
Blocks:
  Show dependency treegraph
 
Reported: 2011-05-08 22:25 EDT by Eugene Teo (Security Response)
Modified: 2015-07-31 08:42 EDT (History)
17 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-07-29 08:44:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0836 normal SHIPPED_LIVE Important: kernel security and bug fix update 2011-06-01 15:56:53 EDT

  None (edit)
Description Eugene Teo (Security Response) 2011-05-08 22:25:46 EDT 
BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
IP: [<ffffffffa04a3cc1>] cifsFileInfo_put+0x21/0x220 [cifs]
PGD 15434067 PUD 375bd067 PMD 0 
Oops: 0000 [#1] SMP 
last sysfs file: /sys/devices/virtual/block/dm-1/dm/name
CPU 2 
Modules linked in: cifs nfs nls_utf8 lockd nfs_acl rpcsec_gss_krb5 auth_rpcgss
des_generic sunrpc cachefiles fscache(T) ipv6 dm_mirror dm_region_hash dm_log
virtio_balloon virtio_net sg i2c_piix4 i2c_core ext4 mbcache jbd2 virtio_blk
sr_mod cdrom virtio_pci virtio_ring virtio pata_acpi ata_generic ata_piix
dm_mod [last unloaded: cifs]

Modules linked in: cifs nfs nls_utf8 lockd nfs_acl rpcsec_gss_krb5 auth_rpcgss
des_generic sunrpc cachefiles fscache(T) ipv6 dm_mirror dm_region_hash dm_log
virtio_balloon virtio_net sg i2c_piix4 i2c_core ext4 mbcache jbd2 virtio_blk
sr_mod cdrom virtio_pci virtio_ring virtio pata_acpi ata_generic ata_piix
dm_mod [last unloaded: cifs]
Pid: 11418, comm: opentest Tainted: G           ---------------- T
2.6.32-144.el6.x86_64.debug #1 KVM
RIP: 0010:[<ffffffffa04a3cc1>]  [<ffffffffa04a3cc1>]
cifsFileInfo_put+0x21/0x220 [cifs]
RSP: 0018:ffff8800376f9b98  EFLAGS: 00010282
RAX: ffffffffa04a3f00 RBX: ffff88003b24e1b8 RCX: 0000000000000003
RDX: ffffffffa04bb760 RSI: ffff88003b24e1b8 RDI: 0000000000000000
RBP: ffff8800376f9bc8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000100006 R12: 0000000000000008
R13: ffff88002ee7a0d0 R14: ffff88000737b700 R15: ffff88003e7fa578
FS:  00007f4603a80700(0000) GS:ffff880004400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000030 CR3: 000000003d399000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process opentest (pid: 11418, threadinfo ffff8800376f8000, task
ffff8800154e85c0)
Stack:
 0000000000000000 ffff88003b24e1b8 0000000000000008 ffff88002ee7a0d0
<0> ffff88000737b700 ffff88003e7fa578 ffff8800376f9be8 ffffffffa04a3f1d
<0> 0000000000000008 ffff88003b24e1b8 ffff8800376f9c38 ffffffff81190ab8
Call Trace:
 [<ffffffffa04a3f1d>] cifs_close+0x1d/0x40 [cifs]
 [<ffffffff81190ab8>] __fput+0x108/0x280
 [<ffffffff81189ce0>] ? generic_file_open+0x0/0x30
 [<ffffffff81190c55>] fput+0x25/0x30
 [<ffffffff8118c40c>] __dentry_open+0x28c/0x3e0
 [<ffffffff8118c639>] lookup_instantiate_filp+0x69/0x90
 [<ffffffffa04a2182>] cifs_lookup+0x3f2/0x5c0 [cifs]
 [<ffffffff8119e802>] __lookup_hash+0x102/0x160
 [<ffffffff8122f752>] ? selinux_inode_permission+0x72/0xb0
 [<ffffffff8119e93a>] lookup_hash+0x3a/0x50
 [<ffffffff8119f36a>] do_filp_open+0x2ca/0xdc0
 [<ffffffff810d71c2>] ? utrace_stop+0x122/0x1d0
 [<ffffffff811ac63b>] ? alloc_fd+0x3b/0x160
 [<ffffffff8150eccb>] ? _spin_unlock+0x2b/0x40
 [<ffffffff811ac6ab>] ? alloc_fd+0xab/0x160
 [<ffffffff8118c039>] do_sys_open+0x69/0x140
 [<ffffffff8118c150>] sys_open+0x20/0x30
 [<ffffffff8100b3a3>] tracesys+0xd9/0xde

This was reported upstream recently.

    http://marc.info/?l=linux-cifs&m=130204730006155&w=2

...the problem is that CIFS doesn't do O_DIRECT at all, so when you try to open a file with it you get back -EINVAL. CIFS can also do open on lookup in some cases. In that case, fput will be called on the filp, which has not yet had its private_data set.

This is a regression introduced with the patchset to clean up filehandle management in CIFS. The fix is simple and is already upstream -- simply check for a NULL filp->private_data before trying to dereference it.
Comment 2 Eugene Teo (Security Response) 2011-05-08 22:37:50 EDT 
Statement:

This issue did not affect the Linux kernel as shipped with Red Hat Enterprise Linux 4, 5, and Red Hat Enterprise Linux MRG as they did not backport the upstream commit cdff08e7 that introduced this issue. Future kernel updates for Red Hat Enterprise Linux 6 may address this flaw.
Comment 4 errata-xmlrpc 2011-06-01 15:57:11 EDT 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0836 https://rhn.redhat.com/errata/RHSA-2011-0836.html
Comment 5 Eugene Teo (Security Response) 2011-06-28 03:18:43 EDT 
Upstream commit:
http://git.kernel.org/linus/7797069305d13252fd66cf722aa8f2cbeb3c95cd
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.