Bug 1094363 (CVE-2014-0203) - CVE-2014-0203 kernel: fs: slab corruption due to the invalid last component type during do_filp_open()
Summary: CVE-2014-0203 kernel: fs: slab corruption due to the invalid last component t...
Alias: CVE-2014-0203
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1079347 1094370
Blocks: 1094374
TreeView+ depends on / blocked
Reported: 2014-05-05 14:10 UTC by Petr Matousek
Modified: 2023-05-12 03:18 UTC (History)
18 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-06-23 06:54:12 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0771 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2014-06-19 21:52:21 UTC

Description Petr Matousek 2014-05-05 14:10:08 UTC
It was found that proc_ns_follow_link() doesn't return LAST_BIND (unlike
proc_pid_follow_link()) which leads to the slab corruption caused by
(excessive) putname() in do_filp_open().

The slab corruption later manifests itself in the form of BUG() in
cache_alloc_refill() when performing "$ echo > /proc/$$/ns/pid" --

kernel BUG at mm/slab.c:3069!
invalid opcode: 0000 [#1] SMP
last sysfs file: /sys/devices/system/node/node0/meminfo
Modules linked in:
Pid: 2249, comm: bash Not tainted 2.6.32-431.5.1.el6.x86_64 #1
RIP: 0010:[<ffffffff8116ed14>]  [<ffffffff8116ed14>] cache_alloc_refill+0x1e4/0x240
RSP: 0018:ffff88007b69fe38  EFLAGS: 00010082
RAX: 000000000000000c RBX: ffff88007ec30f00 RCX: 00000000ffffffff
RDX: 000000000000000c RSI: 0000000000000000 RDI: ffff88007fa96580
RBP: ffff88007b69fe98 R08: 0000000000000000 R09: 000000000000002a
R10: 0000000000000076 R11: 0000000000000000 R12: ffff88007fa96580
R13: ffff88007fae8c40 R14: 000000000000000c R15: ffff88007d9386c0
FS:  00007f6f8819b700(0000) GS:ffff88000c420000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000006d3d88 CR3: 00000000374d1000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process bash (pid: 2249, threadinfo ffff88007b69e000, task ffff8800379a5540)
 ffff88007b69fe58 00000000811a1edf ffff88007fae8c80 000412d07bdf1500
 ffff88007fae8c60 ffff88007fae8c50 ffff88007b69feb8 0000000001440530
 00000000000000d0 ffff88007ec30f00 00000000000000d0 0000000000000246
Call Trace:
 [<ffffffff8116fdcf>] kmem_cache_alloc+0x15f/0x190
 [<ffffffff81196ff7>] getname+0x47/0x240
 [<ffffffff81185ce2>] do_sys_open+0x32/0x140
 [<ffffffff81185e30>] sys_open+0x20/0x30
 [<ffffffff8100b072>] system_call_fastpath+0x16/0x1b
Code: 89 ff e8 70 57 12 00 eb 99 66 0f 1f 44 00 00 41 c7 45 60 01 00 00 00 4d 8b 7d 20 4c 39 7d c0 0f 85 f2 fe ff ff eb 84 0f 0b eb fe <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 eb f4 8b 55 ac 8b 75 bc 31
RIP  [<ffffffff8116ed14>] cache_alloc_refill+0x1e4/0x240
 RSP <ffff88007b69fe38>

An unprivileged local user could use this flaw to crash the system.
Upstream fix:


Red Hat would like to thank Vladimir Davydov of Parallels for reporting this issue.

Comment 2 Petr Matousek 2014-06-18 09:57:54 UTC

This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5, 7 and Red Hat Enterprise MRG 2.

Comment 3 errata-xmlrpc 2014-06-19 17:53:55 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0771 https://rhn.redhat.com/errata/RHSA-2014-0771.html

Note You need to log in before you can comment on or make changes to this bug.