Bug 714761 (CVE-2011-2479) - CVE-2011-2479 kernel: thp: madvise on top of /dev/zero private mapping can lead to panic
Summary: CVE-2011-2479 kernel: thp: madvise on top of /dev/zero private mapping can le...
Status: CLOSED ERRATA
Alias: CVE-2011-2479
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact: Zhang Kexin
URL:
Whiteboard: public=20110324,reported=20110324,sou...
Keywords: Security
Depends On: 690444 714762
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-06-20 16:04 UTC by Petr Matousek
Modified: 2019-06-08 18:51 UTC (History)
18 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2015-07-29 12:48:54 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0928 normal SHIPPED_LIVE Moderate: kernel security and bug fix update 2011-07-12 21:11:55 UTC

Description Petr Matousek 2011-06-20 16:04:31 UTC
Description of problem:
The huge_memory.c THP page fault was allowed to run if vm_ops was null (which would succeed for /dev/zero MAP_PRIVATE, as the f_op->mmap wouldn't setup a special vma->vm_ops and it would fallback to regular anonymous memory) but other THP logics weren't fully activated for vmas with vm_file not NULL (/dev/zero has a not NULL vma->vm_file).

Unprivileged local user could use this flaw to crash the server.

Upstream patch: 78f11a255749d09025f54d4e2df4fbcb031530e2

References:
https://bugzilla.kernel.org/show_bug.cgi?id=33682
http://www.spinics.net/lists/stable-commits/msg11762.html

Comment 2 Petr Matousek 2011-06-20 16:13:10 UTC
Statement:

The versions of the Linux kernel as shipped with Red Hat Enterprise Linux 4, 5, and Red Hat Enterprise MRG are not affected because they do not provide support for THP (Transparent Huge Pages). This has been addressed in Red Hat Enterprise Linux 6 via https://rhn.redhat.com/errata/RHSA-2011-0928.html.

Comment 4 Vincent Danen 2011-06-20 19:34:30 UTC
This issue was assigned the name CVE-2011-2479:

http://seclists.org/oss-sec/2011/q2/644

Comment 7 errata-xmlrpc 2011-07-12 21:13:46 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0928 https://rhn.redhat.com/errata/RHSA-2011-0928.html


Note You need to log in before you can comment on or make changes to this bug.