Bug 703016 (CVE-2011-1771) - CVE-2011-1771 kernel: cifs oops when creating file with O_DIRECT set
Summary: CVE-2011-1771 kernel: cifs oops when creating file with O_DIRECT set
Status: CLOSED ERRATA
Alias: CVE-2011-1771
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: public=20110405,reported=20110506,sou...
Keywords: Security
Depends On: 702642 703017
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-05-09 02:25 UTC by Eugene Teo (Security Response)
Modified: 2019-06-08 18:48 UTC (History)
17 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2015-07-29 12:44:55 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0836 normal SHIPPED_LIVE Important: kernel security and bug fix update 2011-06-01 19:56:53 UTC

Description Eugene Teo (Security Response) 2011-05-09 02:25:46 UTC
BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
IP: [<ffffffffa04a3cc1>] cifsFileInfo_put+0x21/0x220 [cifs]
PGD 15434067 PUD 375bd067 PMD 0 
Oops: 0000 [#1] SMP 
last sysfs file: /sys/devices/virtual/block/dm-1/dm/name
CPU 2 
Modules linked in: cifs nfs nls_utf8 lockd nfs_acl rpcsec_gss_krb5 auth_rpcgss
des_generic sunrpc cachefiles fscache(T) ipv6 dm_mirror dm_region_hash dm_log
virtio_balloon virtio_net sg i2c_piix4 i2c_core ext4 mbcache jbd2 virtio_blk
sr_mod cdrom virtio_pci virtio_ring virtio pata_acpi ata_generic ata_piix
dm_mod [last unloaded: cifs]

Modules linked in: cifs nfs nls_utf8 lockd nfs_acl rpcsec_gss_krb5 auth_rpcgss
des_generic sunrpc cachefiles fscache(T) ipv6 dm_mirror dm_region_hash dm_log
virtio_balloon virtio_net sg i2c_piix4 i2c_core ext4 mbcache jbd2 virtio_blk
sr_mod cdrom virtio_pci virtio_ring virtio pata_acpi ata_generic ata_piix
dm_mod [last unloaded: cifs]
Pid: 11418, comm: opentest Tainted: G           ---------------- T
2.6.32-144.el6.x86_64.debug #1 KVM
RIP: 0010:[<ffffffffa04a3cc1>]  [<ffffffffa04a3cc1>]
cifsFileInfo_put+0x21/0x220 [cifs]
RSP: 0018:ffff8800376f9b98  EFLAGS: 00010282
RAX: ffffffffa04a3f00 RBX: ffff88003b24e1b8 RCX: 0000000000000003
RDX: ffffffffa04bb760 RSI: ffff88003b24e1b8 RDI: 0000000000000000
RBP: ffff8800376f9bc8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000100006 R12: 0000000000000008
R13: ffff88002ee7a0d0 R14: ffff88000737b700 R15: ffff88003e7fa578
FS:  00007f4603a80700(0000) GS:ffff880004400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000030 CR3: 000000003d399000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process opentest (pid: 11418, threadinfo ffff8800376f8000, task
ffff8800154e85c0)
Stack:
 0000000000000000 ffff88003b24e1b8 0000000000000008 ffff88002ee7a0d0
<0> ffff88000737b700 ffff88003e7fa578 ffff8800376f9be8 ffffffffa04a3f1d
<0> 0000000000000008 ffff88003b24e1b8 ffff8800376f9c38 ffffffff81190ab8
Call Trace:
 [<ffffffffa04a3f1d>] cifs_close+0x1d/0x40 [cifs]
 [<ffffffff81190ab8>] __fput+0x108/0x280
 [<ffffffff81189ce0>] ? generic_file_open+0x0/0x30
 [<ffffffff81190c55>] fput+0x25/0x30
 [<ffffffff8118c40c>] __dentry_open+0x28c/0x3e0
 [<ffffffff8118c639>] lookup_instantiate_filp+0x69/0x90
 [<ffffffffa04a2182>] cifs_lookup+0x3f2/0x5c0 [cifs]
 [<ffffffff8119e802>] __lookup_hash+0x102/0x160
 [<ffffffff8122f752>] ? selinux_inode_permission+0x72/0xb0
 [<ffffffff8119e93a>] lookup_hash+0x3a/0x50
 [<ffffffff8119f36a>] do_filp_open+0x2ca/0xdc0
 [<ffffffff810d71c2>] ? utrace_stop+0x122/0x1d0
 [<ffffffff811ac63b>] ? alloc_fd+0x3b/0x160
 [<ffffffff8150eccb>] ? _spin_unlock+0x2b/0x40
 [<ffffffff811ac6ab>] ? alloc_fd+0xab/0x160
 [<ffffffff8118c039>] do_sys_open+0x69/0x140
 [<ffffffff8118c150>] sys_open+0x20/0x30
 [<ffffffff8100b3a3>] tracesys+0xd9/0xde

This was reported upstream recently.

    http://marc.info/?l=linux-cifs&m=130204730006155&w=2

...the problem is that CIFS doesn't do O_DIRECT at all, so when you try to open a file with it you get back -EINVAL. CIFS can also do open on lookup in some cases. In that case, fput will be called on the filp, which has not yet had its private_data set.

This is a regression introduced with the patchset to clean up filehandle management in CIFS. The fix is simple and is already upstream -- simply check for a NULL filp->private_data before trying to dereference it.

Comment 2 Eugene Teo (Security Response) 2011-05-09 02:37:50 UTC
Statement:

This issue did not affect the Linux kernel as shipped with Red Hat Enterprise Linux 4, 5, and Red Hat Enterprise Linux MRG as they did not backport the upstream commit cdff08e7 that introduced this issue. Future kernel updates for Red Hat Enterprise Linux 6 may address this flaw.

Comment 4 errata-xmlrpc 2011-06-01 19:57:11 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0836 https://rhn.redhat.com/errata/RHSA-2011-0836.html

Comment 5 Eugene Teo (Security Response) 2011-06-28 07:18:43 UTC
Upstream commit:
http://git.kernel.org/linus/7797069305d13252fd66cf722aa8f2cbeb3c95cd


Note You need to log in before you can comment on or make changes to this bug.