Bug 853474 (CVE-2012-4398) - CVE-2012-4398 kernel: request_module() OOM local DoS
Summary: CVE-2012-4398 kernel: request_module() OOM local DoS
Status: CLOSED ERRATA
Alias: CVE-2012-4398
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20120323,repor...
Keywords: Security
Depends On: 819529 819736 858752 858753 858755
Blocks: 853475
TreeView+ depends on / blocked
 
Reported: 2012-08-31 16:34 UTC by Petr Matousek
Modified: 2018-11-30 19:28 UTC (History)
26 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-24 13:30:04 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:1282 normal SHIPPED_LIVE Moderate: kernel-rt security, bug fix, and enhancement update 2012-09-19 22:02:30 UTC
Red Hat Product Errata RHSA-2013:0223 normal SHIPPED_LIVE Moderate: kernel security and bug fix update 2013-02-06 00:52:09 UTC
Red Hat Product Errata RHSA-2013:1348 normal SHIPPED_LIVE Moderate: Red Hat Enterprise Linux 5 kernel update 2013-10-01 00:41:39 UTC

Description Petr Matousek 2012-08-31 16:34:46 UTC
As Tetsuo Handa pointed out, request_module() can stress the system while the oom-killed caller sleeps in TASK_UNINTERRUPTIBLE.

The task T uses "almost all" memory, then it does something which triggers request_module().  Say, it can simply call sys_socket().  This in turn needs more memory and leads to OOM.  oom-killer correctly chooses T and kills it, but this can't help because it sleeps in TASK_UNINTERRUPTIBLE and after that oom-killer becomes "disabled" by the TIF_MEMDIE task T.

A local unprivileged user can make the system unusable.

Upstream fixes:
(1) 70834d30 "usermodehelper: use UMH_WAIT_PROC consistently"
(2) b3449922 "usermodehelper: introduce umh_complete(sub_info)"
(3) d0bd587a "usermodehelper: implement UMH_KILLABLE"
(4) 9d944ef3 "usermodehelper: kill umh_wait, renumber UMH_* constants"
(5) 5b9bd473 "usermodehelper: ____call_usermodehelper() doesn't need do_exit()"
(6) 3e63a93b "kmod: introduce call_modprobe() helper"
(7) 1cc684ab "kmod: make __request_module() killable"

According to the reporter, (1) and (4) are optional and safer to exclude.

References:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/963685

Acknowledgements:

Red Hat would like to thank Tetsuo Handa for reporting this issue.

Comment 3 Petr Matousek 2012-09-19 15:40:28 UTC
Statement:

This issue does affect the versions of the Linux kernel as shipped with Red
Hat Enterprise Linux 5, 6 and Red Hat Enteprise MRG. Future kernel updates may address this flaw.

Comment 4 errata-xmlrpc 2012-09-19 18:04:23 UTC
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2012:1282 https://rhn.redhat.com/errata/RHSA-2012-1282.html

Comment 6 errata-xmlrpc 2013-02-05 19:55:50 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0223 https://rhn.redhat.com/errata/RHSA-2013-0223.html

Comment 10 errata-xmlrpc 2013-09-30 23:32:42 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1348 https://rhn.redhat.com/errata/RHSA-2013-1348.html


Note You need to log in before you can comment on or make changes to this bug.