Bug 755455 (CVE-2011-4325) - CVE-2011-4325 kernel: nfs: diotest4 from LTP crash client null pointer deref
Summary: CVE-2011-4325 kernel: nfs: diotest4 from LTP crash client null pointer deref
Alias: CVE-2011-4325
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 754620 755457 782689
Blocks: 755452
TreeView+ depends on / blocked
Reported: 2011-11-21 07:52 UTC by Eugene Teo (Security Response)
Modified: 2021-02-24 13:44 UTC (History)
17 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2012-05-04 07:57:26 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:0007 0 normal SHIPPED_LIVE Important: kernel security, bug fix, and enhancement update 2012-01-11 01:02:46 UTC

Description Eugene Teo (Security Response) 2011-11-21 07:52:20 UTC
diotest4 from LTP will crash client on NFS mount. Not a regression, 5.7 GA
kernel has the same issue.

Unable to handle kernel NULL pointer dereference at 0000000000000038 RIP:
 [<ffffffff887aed65>] :nfs:__put_nfs_open_context+0x7/0x93
PGD 16bba2067 PUD 14bcd1067 PMD 0
Oops: 0000 [1] SMP
last sysfs file: /devices/pci0000:00/0000:00:00.0/local_cpus
Modules linked in: nfs nfsd exportfs nfs_acl auth_rpcgss autofs4 hidp rfcomm
l2cap bluetooth lockd sunrpc cpufreq_ondemand acpi_cpufreq freq_table mperf
ipt_REJECT ip6t_REJECT xt_tcpudp ip6table_filter ip6_tables x_tables be2iscsi
ib_iser rdma_cm ib_cm iw_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp bnx2i cnic
ipv6 xfrm_nalgo crypto_api uio cxgb3i libcxgbi cxgb3 8021q libiscsi_tcp
libiscsi2 scsi_transport_iscsi2 scsi_transport_iscsi dm_mirror dm_multipath
scsi_dh video backlight sbs power_meter hwmon i2c_ec dell_wmi wmi button
battery asus_acpi acpi_memhotplug ac parport_pc lp parport joydev i2c_i801
i2c_core ide_cd cdc_ether i7core_edac cdrom usbnet edac_mc tpm_tis tpm tpm_bios
bnx2 sg pcspkr dm_raid45 dm_message dm_region_hash dm_log dm_mod dm_mem_cache
ata_piix libata shpchp megaraid_sas sd_mod scsi_mod ext3 jbd uhci_hcd ohci_hcd
Pid: 4577, comm: diotest4 Not tainted 2.6.18-296.el5 #1
RIP: 0010:[<ffffffff887aed65>]  [<ffffffff887aed65>]
RSP: 0018:ffff810153cc1d28  EFLAGS: 00010246
RAX: ffff81014df95b10 RBX: ffff81014df95840 RCX: ffff81017fe5e608
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff81014df95840 R08: ffff81014df95840 R09: 0000000000000000
R10: ffff81014df95840 R11: 0000000000000310 R12: 0000000000000000
R13: 0000000000001000 R14: ffff81014aff9218 R15: ffff81014ced68c0
FS:  00002b51e08b3af0(0000) GS:ffff810105524ec0(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000038 CR3: 000000014a8fb000 CR4: 00000000000006a0
Process diotest4 (pid: 4577, threadinfo ffff810153cc0000, task
Stack:  ffff81014df95840 ffff81014df95840 ffff81014ced6898 ffffffff887b4459
 fffffffffffffff4 ffffffff887ccca6 ffff810153cc1e68 0000000000001000
 ffff810153cc1e08 ffff81014a335a00 0000000000001000 0000000000008000
Call Trace:
 [<ffffffff887b4459>] :nfs:nfs_readdata_release+0x10/0x16
 [<ffffffff887ccca6>] :nfs:nfs_file_direct_read+0x1b8/0x52f
 [<ffffffff8000cf47>] do_sync_read+0xc7/0x104
 [<ffffffff887aef81>] :nfs:nfs_open+0x10b/0x125
 [<ffffffff800a3346>] autoremove_wake_function+0x0/0x2e
 [<ffffffff8000b72f>] vfs_read+0xcb/0x171
 [<ffffffff80011d15>] sys_read+0x45/0x6e
 [<ffffffff8005d28d>] tracesys+0xd5/0xe0

Code: 48 8b 47 38 48 89 fb 48 8b 68 10 48 8d b5 b4 00 00 00 e8 c9
RIP  [<ffffffff887aed65>] :nfs:__put_nfs_open_context+0x7/0x93
 RSP <ffff810153cc1d28>
CR2: 0000000000000038
 <0>Kernel panic - not syncing: Fatal exception

Comment 2 Eugene Teo (Security Response) 2011-11-22 02:01:00 UTC
Upstream commit:
http://git.kernel.org/linus/1ae88b2e4 (v2.6.31-rc6)

Comment 3 Petr Matousek 2012-01-10 19:01:15 UTC

This issue did not affect the version of the Linux kernel as shipped with Red
Hat Enterprise Linux 4, 6 and Red Hat Enterprise MRG. This has been addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2012-0007.html.

Comment 4 errata-xmlrpc 2012-01-10 20:09:56 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:0007 https://rhn.redhat.com/errata/RHSA-2012-0007.html

Comment 5 Eugene Teo (Security Response) 2012-01-18 07:15:34 UTC
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 782689]

Note You need to log in before you can comment on or make changes to this bug.