Bug 794557 (CVE-2012-0810) - CVE-2012-0810 kernel-rt: stack corruption when task gets scheduled out using the debug stack
Summary: CVE-2012-0810 kernel-rt: stack corruption when task gets scheduled out using ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-0810
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 784673 (view as bug list)
Depends On: 784358
Blocks: 784680
TreeView+ depends on / blocked
 
Reported: 2012-02-17 05:16 UTC by Eugene Teo (Security Response)
Modified: 2019-09-29 12:50 UTC (History)
20 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-05-10 15:23:40 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:0333 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2012-02-24 01:21:35 UTC

Description Eugene Teo (Security Response) 2012-02-17 05:16:55 UTC
The issue is that the int3 handler uses a per CPU debug stack, and calls do_traps() with interrupts enabled but preemption disabled. Then a signal is sent to the current process, and the code that handles the signal grabs a spinlock. This spinlock becomes a mutex (sleeping lock) when CONFIG_PREEMPT_RT_FULL is enabled.

If there is contention on this lock then the task may schedule out. As the task is using a per CPU stack, and another task may come in and use the same stack, the stack can become corrupted and cause the kernel to panic.

Comment 5 errata-xmlrpc 2012-02-23 20:24:42 UTC
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2012:0333 https://rhn.redhat.com/errata/RHSA-2012-0333.html

Comment 7 Laurent Bonnaud 2012-03-23 17:14:47 UTC
> http://git.kernel.org/linus/968544b96be6801bee3e5974fd1dc29e5ab454ff
> http://git.kernel.org/linus/1bb57b5ea265a1fe2974b6b84fe819489a37e6b3

Those links display a page with this error message:

404 - Unknown commit object

Comment 8 Eugene Teo (Security Response) 2012-03-26 07:11:26 UTC
(In reply to comment #7)
> > http://git.kernel.org/linus/968544b96be6801bee3e5974fd1dc29e5ab454ff
> > http://git.kernel.org/linus/1bb57b5ea265a1fe2974b6b84fe819489a37e6b3
> 
> Those links display a page with this error message:
> 
> 404 - Unknown commit object

I might have mixed it up with an internal repo. I will get back to you on this. Thanks.

Comment 10 Eugene Teo (Security Response) 2012-03-27 08:06:26 UTC
Statement:

This issue did not affect the Linux kernel as shipped with Red Hat Enterprise Linux 4, 5, and 6. This has been addressed in Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2012-0333.html.


Note You need to log in before you can comment on or make changes to this bug.