Bug 243251 (CVE-2006-5158) - CVE-2006-5158 NFS lockd deadlock
Summary: CVE-2006-5158 NFS lockd deadlock
Alias: CVE-2006-5158
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2007-06-08 10:02 UTC by Marcel Holtmann
Modified: 2021-11-12 19:34 UTC (History)
6 users (show)

Fixed In Version: RHSA-2007-0488
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-06-25 18:05:03 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0488 0 normal SHIPPED_LIVE Important: kernel security update 2008-01-09 18:29:42 UTC

Description Marcel Holtmann 2007-06-08 10:02:57 UTC
Report from Matthias Andree:

kernel: Unable to handle kernel NULL pointer dereference at virtual address 0000000c
kernel:  printing eip:
kernel: c01abbb0
kernel: *pde = 00000000
kernel: Oops: 0000 [#1]
kernel: Modules linked in: softdog autofs4 nfsd exportfs thermal processor fan
button battery ac w83627h
f i2c_sensor i2c_isa i2c_viapro i2c_core usbserial ipt_REDIRECT ipt_multiport
parport_pc ipt_recent lp i
pt_REJECT ipt_LOG ipt_limit ipt_state parport iptable_filter iptable_mangle
8021q ipv6 joydev sg st sr_m
od ide_cd cdrom tun ip_nat_ftp iptable_nat ip_tables ip_conntrack_ftp
ip_conntrack via_agp agpgart ehci_
hcd uhci_hcd ext3 jbd evdev sd_mod scsi_mod via_rhine mii 3c59x usbcore xfs
kernel: CPU:    0
kernel: EIP:    0060:[<c01abbb0>]    Not tainted VLI
kernel: EFLAGS: 00010246   (2.6.8-24.23-default SL92_BRANCH-20060608133134)
kernel: EIP is at nlmclnt_mark_reclaim+0x50/0x70
kernel: eax: 00000000   ebx: d61298b4   ecx: d61298b8   edx: d6129b20
kernel: esi: de59abe0   edi: 0000000a   ebp: c03710f4   esp: d59dbf5c
kernel: ds: 007b   es: 007b   ss: 0068
kernel: Process lockd (pid: 5029, threadinfo=d59da000 task=dcf24aa0)
kernel: Stack: de59abe0 000000af c01abc40 de59abe0 d59dbf8c c01ad499 000000af
kernel:        c0371a78 c01b26a0 dfebaa00 c01b25f4 cb030002 2aa3d981 00000000
kernel:        dfebaa40 c02f2781 d5201014 00000001 00000001 dfebaa64 dfebaa40
kernel: Call Trace:
kernel:  [<c01abc40>] nlmclnt_recovery+0x70/0xc0
kernel:  [<c01ad499>] nlm_host_rebooted+0x109/0x110
kernel:  [<c01b26a0>] nsmsvc_decode_stat_chge+0x0/0x80
kernel:  [<c01b25f4>] nsmsvc_proc_notify+0x34/0x50
kernel:  [<c02f2781>] svc_process+0x531/0x820
kernel:  [<c01ad949>] lockd+0x119/0x230
kernel:  [<c01ad830>] lockd+0x0/0x230
kernel:  [<c0104255>] kernel_thread_helper+0x5/0x10
kernel: Code: c2 0f 18 00 90 81 f9 6c ce 36 c0 74 34 8d 59 fc 8b 43 24 8b 40 08
8b 40 08 8b 80 94 00 00 
00 81 78 38 69 69 00 00 75 d3 8b 43 54 <39> 70 0c 75 cb 8b 43 50 a8 01 74 c4 83
c8 02 89 43 50 8b 11 eb

The oops is from a SuSE 9.2 kernel, but a Red Hat kernel should be also
vulnerable to this issue. While this is a simple NULL pointer dereference, it
seems to deadlock the NFS lockd and so allows a denial of service attack.

Comment 1 Jeff Layton 2007-06-08 10:39:24 UTC

*** This bug has been marked as a duplicate of 210128 ***

Comment 2 Jeff Layton 2007-06-08 10:45:34 UTC
My mistake, didn't realize this was on z-stream proposed. Might have been better
to clone the other BZ that contains the patch.

Comment 3 Jason Baron 2007-06-12 15:33:55 UTC
 committed in stream rhel‑4.5.z build 55.0.1

Comment 6 Red Hat Bugzilla 2007-06-25 18:05:03 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.