Bug 822821 (CVE-2012-2373) - CVE-2012-2373 kernel: mm: read_pmd_atomic: 32bit PAE pmd walk vs pmd_populate SMP race condition
Summary: CVE-2012-2373 kernel: mm: read_pmd_atomic: 32bit PAE pmd walk vs pmd_populate...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-2373
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 820762 822822 822823 822824 822825
Blocks: 822829
TreeView+ depends on / blocked
 
Reported: 2012-05-18 09:30 UTC by Petr Matousek
Modified: 2021-02-23 14:45 UTC (History)
22 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-05-08 17:54:08 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:0743 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2012-06-18 17:32:36 UTC

Description Petr Matousek 2012-05-18 09:30:30 UTC 
When holding the mmap_sem for reading, pmd_offset_map_lock should only
run on a pmd_t that has been read atomically from the pmdp
pointer, otherwise we may read only half of it leading to this crash.

PID: 11679  TASK: f06e8000  CPU: 3   COMMAND: "do_race_2_panic"
 #0 [f06a9dd8] crash_kexec at c049b5ec
 #1 [f06a9e2c] oops_end at c083d1c2
 #2 [f06a9e40] no_context at c0433ded
 #3 [f06a9e64] bad_area_nosemaphore at c043401a
 #4 [f06a9e6c] __do_page_fault at c0434493
 #5 [f06a9eec] do_page_fault at c083eb45
 #6 [f06a9f04] error_code (via page_fault) at c083c5d5
    EAX: 01fb470c EBX: fff35000 ECX: 00000003 EDX: 00000100 EBP:
    00000000
    DS:  007b     ESI: 9e201000 ES:  007b     EDI: 01fb4700 GS:  00e0
    CS:  0060     EIP: c083bc14 ERR: ffffffff EFLAGS: 00010246
 #7 [f06a9f38] _spin_lock at c083bc14
 #8 [f06a9f44] sys_mincore at c0507b7d
 #9 [f06a9fb0] system_call at c083becd
                         start           len
    EAX: ffffffda  EBX: 9e200000  ECX: 00001000  EDX: 6228537f
    DS:  007b      ESI: 00000000  ES:  007b      EDI: 003d0f00
    SS:  007b      ESP: 62285354  EBP: 62285388  GS:  0033
    CS:  0073      EIP: 00291416  ERR: 000000da  EFLAGS: 00000286

This should be a longstanding bug affecting x86 32bit PAE without
THP. Only archs with 64bit large pmd_t and 32bit unsigned long should
be affected.

An unprivileged local user could use this flaw to crash the system.

Proposed fix:
http://permalink.gmane.org/gmane.linux.kernel.mm/78590
Comment 2 Petr Matousek 2012-05-18 09:34:14 UTC 
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 822825]
Comment 3 Kurt Seifried 2012-05-18 17:38:59 UTC 
Added CVE as per http://www.openwall.com/lists/oss-security/2012/05/18/11
Comment 4 Fedora Update System 2012-06-07 02:33:38 UTC 
kernel-3.4.0-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2012-06-13 21:29:59 UTC 
kernel-3.3.8-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 errata-xmlrpc 2012-06-18 13:35:05 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0743 https://rhn.redhat.com/errata/RHSA-2012-0743.html
Comment 7 Fedora Update System 2012-06-22 08:37:49 UTC 
kernel-2.6.43.8-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Petr Matousek 2012-11-07 11:52:44 UTC 
Statement:

This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG. Kernel update RHSA-2012:0743 https://rhn.redhat.com/errata/RHSA-2012-0743.html for Red Hat Enterprise Linux 6 did address this issue.
Note You need to log in before you can comment on or make changes to this bug.