This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 530490 - (CVE-2009-3547) CVE-2009-3547 kernel: fs: pipe.c null pointer dereference
CVE-2009-3547 kernel: fs: pipe.c null pointer dereference
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,reported=20091023,pu...
: Security
Depends On: 530934 530935 530936 530937 530938 530939 531656 533097 533098 533099 537294
Blocks:
  Show dependency treegraph
 
Reported: 2009-10-23 00:16 EDT by Eugene Teo (Security Response)
Modified: 2012-07-19 11:50 EDT (History)
28 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-03-28 04:08:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Comment 4 Eugene Teo (Security Response) 2009-10-26 03:16:09 EDT
Quote from the upstream commit:
fs: pipe.c null pointer dereference
    
This patch fixes a null pointer exception in pipe_rdwr_open() which generates the stack trace:
    
> Unable to handle kernel NULL pointer dereference at 0000000000000028 RIP:
>  [<ffffffff802899a5>] pipe_rdwr_open+0x35/0x70
>  [<ffffffff8028125c>] __dentry_open+0x13c/0x230
>  [<ffffffff8028143d>] do_filp_open+0x2d/0x40
>  [<ffffffff802814aa>] do_sys_open+0x5a/0x100
>  [<ffffffff8021faf3>] sysenter_do_call+0x1b/0x67
    
The failure mode is triggered by an attempt to open an anonymous pipe via /proc/pid/fd/* as exemplified by this script:
    
=============================================================
while : ; do
   { echo y ; sleep 1 ; } | { while read ; do echo z$REPLY; done ; } &
   PID=$!
   OUT=$(ps -efl | grep 'sleep 1' | grep -v grep |
        { read PID REST ; echo $PID; } )
   OUT="${OUT%% *}"
   DELAY=$((RANDOM * 1000 / 32768))
   usleep $((DELAY * 1000 + RANDOM % 1000 ))
   echo n > /proc/$OUT/fd/1                 # Trigger defect
done
=============================================================
    
Note that the failure window is quite small and I could only reliably reproduce the defect by inserting a small delay in pipe_rdwr_open(). For example:

 static int
 pipe_rdwr_open(struct inode *inode, struct file *filp)
 {
       msleep(100);
       mutex_lock(&inode->i_mutex);

Although the defect was observed in pipe_rdwr_open(), I think it makes sense to replicate the change through all the pipe_*_open() functions.
    
The core of the change is to verify that inode->i_pipe has not been released before attempting to manipulate it. If inode->i_pipe is no longer present, return ENOENT to indicate so.
    
The comment about potentially using atomic_t for i_pipe->readers and i_pipe->writers has also been removed because it is no longer relevant in this context. The inode->i_mutex lock must be used so that inode->i_pipe can be dealt with correctly.

http://lkml.org/lkml/2009/10/14/184
http://lkml.org/lkml/2009/10/21/42
http://git.kernel.org/linus/ad3960243e55320d74195fb85c975e0a8cc4466c
Comment 10 errata-xmlrpc 2009-11-03 13:21:24 EST
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2009:1540 https://rhn.redhat.com/errata/RHSA-2009-1540.html
Comment 11 errata-xmlrpc 2009-11-03 14:12:54 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:1541 https://rhn.redhat.com/errata/RHSA-2009-1541.html
Comment 12 errata-xmlrpc 2009-11-03 14:33:47 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1548 https://rhn.redhat.com/errata/RHSA-2009-1548.html
Comment 14 errata-xmlrpc 2009-11-03 17:03:31 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2009:1550 https://rhn.redhat.com/errata/RHSA-2009-1550.html
Comment 17 Fedora Update System 2009-11-04 23:56:59 EST
kernel-2.6.30.9-96.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/kernel-2.6.30.9-96.fc11
Comment 18 Fedora Update System 2009-11-05 00:05:36 EST
kernel-2.6.30.9-96.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/kernel-2.6.30.9-96.fc11
Comment 19 Fedora Update System 2009-11-05 00:14:31 EST
kernel-2.6.27.38-170.2.113.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/kernel-2.6.27.38-170.2.113.fc10
Comment 20 Fedora Update System 2009-11-05 19:02:49 EST
kernel-2.6.30.9-96.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 21 Fedora Update System 2009-11-05 19:04:43 EST
kernel-2.6.27.38-170.2.113.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 23 errata-xmlrpc 2009-11-17 10:23:37 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.3.Z - Server Only

Via RHSA-2009:1587 https://rhn.redhat.com/errata/RHSA-2009-1587.html
Comment 24 errata-xmlrpc 2009-11-17 10:26:35 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4.7 Z Stream

Via RHSA-2009:1588 https://rhn.redhat.com/errata/RHSA-2009-1588.html
Comment 26 Igor Zhang 2009-12-09 01:41:17 EST
Wrong placement for Comment #25, sorry!~ I should change its state back.
Comment 27 errata-xmlrpc 2009-12-15 12:02:12 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.2 Z Stream

Via RHSA-2009:1672 https://rhn.redhat.com/errata/RHSA-2009-1672.html

Note You need to log in before you can comment on or make changes to this bug.