Bug 714761 – CVE-2011-2479 kernel: thp: madvise on top of /dev/zero private mapping can lead to panic

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 714761 - (CVE-2011-2479) CVE-2011-2479 kernel: thp: madvise on top of /dev/zero private mapping can lead to panic

Summary:	CVE-2011-2479 kernel: thp: madvise on top of /dev/zero private mapping can le...

Status:	CLOSED ERRATA

Aliases:	CVE-2011-2479

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:	Zhang Kexin
Docs Contact:

URL:
Whiteboard:	public=20110324,reported=20110324,sou...
Keywords:	Security

Depends On:	690444 714762
Blocks:
	Show dependency tree / graph

Reported:	2011-06-20 12:04 EDT by Petr Matousek
Modified:	2015-07-31 08:44 EDT (History)
CC List:	18 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2015-07-29 08:48:54 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:0928	normal	SHIPPED_LIVE	Moderate: kernel security and bug fix update	2011-07-12 17:11:55 EDT

Groups: None (edit)

Description Petr Matousek 2011-06-20 12:04:31 EDT

Description of problem:
The huge_memory.c THP page fault was allowed to run if vm_ops was null (which would succeed for /dev/zero MAP_PRIVATE, as the f_op->mmap wouldn't setup a special vma->vm_ops and it would fallback to regular anonymous memory) but other THP logics weren't fully activated for vmas with vm_file not NULL (/dev/zero has a not NULL vma->vm_file).

Unprivileged local user could use this flaw to crash the server.

Upstream patch: 78f11a255749d09025f54d4e2df4fbcb031530e2

References:
https://bugzilla.kernel.org/show_bug.cgi?id=33682
http://www.spinics.net/lists/stable-commits/msg11762.html

Comment 2 Petr Matousek 2011-06-20 12:13:10 EDT

Statement:

The versions of the Linux kernel as shipped with Red Hat Enterprise Linux 4, 5, and Red Hat Enterprise MRG are not affected because they do not provide support for THP (Transparent Huge Pages). This has been addressed in Red Hat Enterprise Linux 6 via https://rhn.redhat.com/errata/RHSA-2011-0928.html.

Comment 4 Vincent Danen 2011-06-20 15:34:30 EDT

This issue was assigned the name CVE-2011-2479:

http://seclists.org/oss-sec/2011/q2/644

Comment 7 errata-xmlrpc 2011-07-12 17:13:46 EDT

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0928 https://rhn.redhat.com/errata/RHSA-2011-0928.html

Note You need to log in before you can comment on or make changes to this bug.