This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 794557 - (CVE-2012-0810) CVE-2012-0810 kernel-rt: stack corruption when task gets scheduled out using the debug stack
CVE-2012-0810 kernel-rt: stack corruption when task gets scheduled out using ...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20120223,repor...
: Security
: 784673 (view as bug list)
Depends On: 784358
Blocks: 784680
  Show dependency treegraph
 
Reported: 2012-02-17 00:16 EST by Eugene Teo (Security Response)
Modified: 2015-07-27 09:25 EDT (History)
20 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-05-10 11:23:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Eugene Teo (Security Response) 2012-02-17 00:16:55 EST
The issue is that the int3 handler uses a per CPU debug stack, and calls do_traps() with interrupts enabled but preemption disabled. Then a signal is sent to the current process, and the code that handles the signal grabs a spinlock. This spinlock becomes a mutex (sleeping lock) when CONFIG_PREEMPT_RT_FULL is enabled.

If there is contention on this lock then the task may schedule out. As the task is using a per CPU stack, and another task may come in and use the same stack, the stack can become corrupted and cause the kernel to panic.
Comment 5 errata-xmlrpc 2012-02-23 15:24:42 EST
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2012:0333 https://rhn.redhat.com/errata/RHSA-2012-0333.html
Comment 7 Laurent Bonnaud 2012-03-23 13:14:47 EDT
> http://git.kernel.org/linus/968544b96be6801bee3e5974fd1dc29e5ab454ff
> http://git.kernel.org/linus/1bb57b5ea265a1fe2974b6b84fe819489a37e6b3

Those links display a page with this error message:

404 - Unknown commit object
Comment 8 Eugene Teo (Security Response) 2012-03-26 03:11:26 EDT
(In reply to comment #7)
> > http://git.kernel.org/linus/968544b96be6801bee3e5974fd1dc29e5ab454ff
> > http://git.kernel.org/linus/1bb57b5ea265a1fe2974b6b84fe819489a37e6b3
> 
> Those links display a page with this error message:
> 
> 404 - Unknown commit object

I might have mixed it up with an internal repo. I will get back to you on this. Thanks.
Comment 10 Eugene Teo (Security Response) 2012-03-27 04:06:26 EDT
Statement:

This issue did not affect the Linux kernel as shipped with Red Hat Enterprise Linux 4, 5, and 6. This has been addressed in Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2012-0333.html.

Note You need to log in before you can comment on or make changes to this bug.