Bug 757143 - (CVE-2011-4348) CVE-2011-4348 kernel: incomplete fix for CVE-2011-2482
CVE-2011-4348 kernel: incomplete fix for CVE-2011-2482
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20120110,repo...
: Security
Depends On: 757146
Blocks: 731905
  Show dependency treegraph
 
Reported: 2011-11-25 10:14 EST by Petr Matousek
Modified: 2015-02-16 10:45 EST (History)
14 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-05-10 04:10:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Petr Matousek 2011-11-25 10:14:02 EST
When testing [CVE-2011-2482] with SELinux disabled (haven't triggered panic on
patched kernel with selinux on), the reproducer run after regular user causes
soft lookups and the machine becomes completely unresponsive on patched kernel.
Target machine was unresponsive after remote part of reproducer (con) killed.
Target with patched kernel needed to be rebooted to start working regularly. 

[root@intel-mahobay-01 ~]# setenforce 0
[test@intel-mahobay-01 ~]$ uname -r
2.6.18-238.30.1.el5
[test@intel-mahobay-01 ~]$ for i in 3333 3334 3335 3336; do
> ./acc -a 1 -p $i -K -k 10000 -K -F 1 -R -U -W & done
[test@intel-mahobay-01 ~]$ BUG: soft lockup - CPU#2 stuck for 60s! [acc:5861]
CPU 2:
Modules linked in: md5 sctp autofs4 hidp rfcomm l2cap bluetooth lockd sunrpc
cpufreq_ondemand acpi_cpufreq freq_table mperf be2iscsi ib_iser rdma_cm ib_cm
iw_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp bnx2i cnic ipv6 xfrm_nalgo
crypto_api uio cxgb3i cxgb3 libiscsi_tcp libiscsi2 scsi_transport_iscsi2
scsi_transport_iscsi loop dm_multipath scsi_dh video backlight sbs power_meter
hwmon i2c_ec i2c_core dell_wmi wmi button battery asus_acpi acpi_memhotplug ac
lp sr_mod cdrom parport_serial sg e1000e parport_pc shpchp igb parport 8021q
tpm_tis dca tpm pcspkr tpm_bios dm_raid45 dm_message dm_region_hash
dm_mem_cache dm_snapshot dm_zero dm_mirror dm_log dm_mod ahci libata sd_mod
scsi_mod ext3 jbd uhci_hcd ohci_hcd ehci_hcd
Pid: 5861, comm: acc Not tainted 2.6.18-238.30.1.el5 #1
RIP: 0010:[<ffffffff80064be3>]  [<ffffffff80064be3>]
.text.lock.spinlock+0x29/0x30
RSP: 0018:ffff810139751dc8  EFLAGS: 00000282
RAX: ffff810139751fd8 RBX: 0000000000000000 RCX: ffff81013a7660d0
RDX: ffff81014daa38d0 RSI: ffff81014daa38d0 RDI: ffff810139dd89c0
RBP: ffff810139e82e00 R08: ffff810146e56700 R09: 0000000000000000
R10: ffff810139751b68 R11: ffff81013a352000 R12: 0000000000000292
R13: ffff81014daa38a8 R14: ffffffff88671ba7 R15: 0000000000000296
FS:  00002aaed65086e0(0000) GS:ffff81014e4ffe40(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00007fff136a7c40 CR3: 000000013a3a6000 CR4: 00000000000006e0

Call Trace:
 [<ffffffff80064ae9>] _spin_lock_bh+0x9/0x14
 [<ffffffff80030fe6>] release_sock+0x13/0xc1
 [<ffffffff8867f048>] :sctp:sctp_accept+0x1b7/0x1d0
 [<ffffffff800a2884>] autoremove_wake_function+0x0/0x2e
 [<ffffffff8026822a>] inet_accept+0x25/0xcb
 [<ffffffff8022b938>] sys_accept+0x11c/0x1ea
 [<ffffffff80030fe6>] release_sock+0x13/0xc1
 [<ffffffff8022d9cb>] sock_setsockopt+0x4d3/0x4e5
 [<ffffffff800b95d4>] audit_syscall_entry+0x1a4/0x1cf
 [<ffffffff8005d28d>] tracesys+0xd5/0xe0

BUG: soft lockup - CPU#7 stuck for 60s! [ksoftirqd/7:24]
CPU 7:
Modules linked in: md5 sctp autofs4 hidp rfcomm l2cap bluetooth lockd sunrpc
cpufreq_ondemand acpi_cpufreq freq_table mperf be2iscsi ib_iser rdma_cm ib_cm
iw_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp bnx2i cnic ipv6 xfrm_nalgo
crypto_api uio cxgb3i cxgb3 libiscsi_tcp libiscsi2 scsi_transport_iscsi2
scsi_transport_iscsi loop dm_multipath scsi_dh video backlight sbs power_meter
hwmon i2c_ec i2c_core dell_wmi wmi button battery asus_acpi acpi_memhotplug ac
lp sr_mod cdrom parport_serial sg e1000e parport_pc shpchp igb parport 8021q
tpm_tis dca tpm pcspkr tpm_bios dm_raid45 dm_message dm_region_hash
dm_mem_cache dm_snapshot dm_zero dm_mirror dm_log dm_mod ahci libata sd_mod
scsi_mod ext3 jbd uhci_hcd ohci_hcd ehci_hcd
Pid: 24, comm: ksoftirqd/7 Not tainted 2.6.18-238.30.1.el5 #1
RIP: 0010:[<ffffffff80064bbf>]  [<ffffffff80064bbf>]
.text.lock.spinlock+0x5/0x30
RSP: 0018:ffff810104a6fcb0  EFLAGS: 00000282
RAX: 0000000000000000 RBX: ffff81014717c480 RCX: 0000000000000000
RDX: ffff810139e05d60 RSI: ffff810104a6fd14 RDI: ffff810139dd89c0
RBP: ffff810104a6fc30 R08: ffff810139e05cc0 R09: 0000000000000000
R10: ffff810139e05cc0 R11: 00000000000000f8 R12: ffffffff8005dc8e
R13: ffff810139e05cc0 R14: ffffffff80078f1d R15: ffff810104a6fc30
FS:  0000000000000000(0000) GS:ffff81014e59e340(0000) knlGS:0000000000000000
CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
CR2: 00007fff136a7c34 CR3: 0000000000201000 CR4: 00000000000006e0

Call Trace:
 <IRQ>  [<ffffffff8868093c>] :sctp:sctp_rcv+0x61e/0x7ba
 [<ffffffff8008f355>] scheduler_tick+0xc3/0x35f
 [<ffffffff80034b1e>] ip_local_deliver+0x19d/0x263
 [<ffffffff80035c7a>] ip_rcv+0x539/0x57c
 [<ffffffff80020bdc>] netif_receive_skb+0x470/0x49f
 [<ffffffff8823ebfb>] :e1000e:e1000_receive_skb+0x1b5/0x1d6
 [<ffffffff8824390d>] :e1000e:e1000_clean_rx_irq+0x271/0x318
 [<ffffffff88241abc>] :e1000e:e1000_clean+0x7c/0x29b
 [<ffffffff8000ca35>] net_rx_action+0xac/0x1b3
 [<ffffffff80012537>] __do_softirq+0x89/0x133
 [<ffffffff8005e2fc>] call_softirq+0x1c/0x28
 <EOI>  [<ffffffff80096395>] ksoftirqd+0x0/0xbf
 [<ffffffff8006d5f5>] do_softirq+0x2c/0x7d
 [<ffffffff800963f4>] ksoftirqd+0x5f/0xbf
 [<ffffffff80032b28>] kthread+0xfe/0x132
 [<ffffffff8005dfb1>] child_rip+0xa/0x11
 [<ffffffff80032a2a>] kthread+0x0/0x132
 [<ffffffff8005dfa7>] child_rip+0x0/0x11
Comment 3 Vincent Danen 2012-01-10 13:26:08 EST
Statement:

This issue did not affect the version of the Linux kernel as shipped with Red Hat Enterprise Linux 4, 6 and Red Hat Enterprise MRG as they were not vulnerable to CVE-2011-2482. This has been addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2012-0007.html.
Comment 4 errata-xmlrpc 2012-01-10 15:10:13 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:0007 https://rhn.redhat.com/errata/RHSA-2012-0007.html
Comment 5 Eugene Teo (Security Response) 2012-03-04 21:16:15 EST
Upstream commit:
http://git.kernel.org/linus/ae53b5bd77719fed58086c5be60ce4f22bffe1c6

Note You need to log in before you can comment on or make changes to this bug.