Bug 853474 - (CVE-2012-4398) CVE-2012-4398 kernel: request_module() OOM local DoS
CVE-2012-4398 kernel: request_module() OOM local DoS
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 819529 819736 858752 858753 858755
Blocks: 853475
  Show dependency treegraph
Reported: 2012-08-31 12:34 EDT by Petr Matousek
Modified: 2015-07-31 02:53 EDT (History)
26 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-08-24 09:30:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:1282 normal SHIPPED_LIVE Moderate: kernel-rt security, bug fix, and enhancement update 2012-09-19 18:02:30 EDT
Red Hat Product Errata RHSA-2013:0223 normal SHIPPED_LIVE Moderate: kernel security and bug fix update 2013-02-05 19:52:09 EST
Red Hat Product Errata RHSA-2013:1348 normal SHIPPED_LIVE Moderate: Red Hat Enterprise Linux 5 kernel update 2013-09-30 20:41:39 EDT

  None (edit)
Description Petr Matousek 2012-08-31 12:34:46 EDT
As Tetsuo Handa pointed out, request_module() can stress the system while the oom-killed caller sleeps in TASK_UNINTERRUPTIBLE.

The task T uses "almost all" memory, then it does something which triggers request_module().  Say, it can simply call sys_socket().  This in turn needs more memory and leads to OOM.  oom-killer correctly chooses T and kills it, but this can't help because it sleeps in TASK_UNINTERRUPTIBLE and after that oom-killer becomes "disabled" by the TIF_MEMDIE task T.

A local unprivileged user can make the system unusable.

Upstream fixes:
(1) 70834d30 "usermodehelper: use UMH_WAIT_PROC consistently"
(2) b3449922 "usermodehelper: introduce umh_complete(sub_info)"
(3) d0bd587a "usermodehelper: implement UMH_KILLABLE"
(4) 9d944ef3 "usermodehelper: kill umh_wait, renumber UMH_* constants"
(5) 5b9bd473 "usermodehelper: ____call_usermodehelper() doesn't need do_exit()"
(6) 3e63a93b "kmod: introduce call_modprobe() helper"
(7) 1cc684ab "kmod: make __request_module() killable"

According to the reporter, (1) and (4) are optional and safer to exclude.



Red Hat would like to thank Tetsuo Handa for reporting this issue.
Comment 3 Petr Matousek 2012-09-19 11:40:28 EDT

This issue does affect the versions of the Linux kernel as shipped with Red
Hat Enterprise Linux 5, 6 and Red Hat Enteprise MRG. Future kernel updates may address this flaw.
Comment 4 errata-xmlrpc 2012-09-19 14:04:23 EDT
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2012:1282 https://rhn.redhat.com/errata/RHSA-2012-1282.html
Comment 6 errata-xmlrpc 2013-02-05 14:55:50 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0223 https://rhn.redhat.com/errata/RHSA-2013-0223.html
Comment 10 errata-xmlrpc 2013-09-30 19:32:42 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1348 https://rhn.redhat.com/errata/RHSA-2013-1348.html

Note You need to log in before you can comment on or make changes to this bug.