Bug 1525218 (CVE-2017-15127) - CVE-2017-15127 kernel: Improper error handling of VM_SHARED hugetlbfs mapping in mm/hugetlb.c
Summary: CVE-2017-15127 kernel: Improper error handling of VM_SHARED hugetlbfs mapping...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-15127
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1536998 1536999 1537000 1545040
Blocks: 1518303
TreeView+ depends on / blocked
 
Reported: 2017-12-12 19:57 UTC by Pedro Sampaio
Modified: 2021-02-17 01:06 UTC (History)
49 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was found in the Linux kernel when freeing pages in hugetlbfs. This could trigger a local denial of service by crashing the kernel.
Clone Of:
Environment:
Last Closed: 2018-01-29 02:36:14 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:0676 0 None None None 2018-04-10 08:14:25 UTC
Red Hat Product Errata RHSA-2018:1062 0 None None None 2018-04-10 09:38:08 UTC

Description Pedro Sampaio 2017-12-12 19:57:20 UTC 
A flaw was found in the Linux kernel where an additional implicit page unlock for VM_SHARED hugetlbfs mapping could trigger local denial of service by crashing the kernel with the message:

page dumped because: VM_BUG_ON_PAGE(!PageLocked(page))

kernel BUG at mm/filemap.c:964! 
invalid opcode: 0000 [#1] SMP 
CPU: 1 PID: 22582 Comm: qemu-system-x86 Not tainted 4.11.11-300.fc26.x86_64 #1 RIP: unlock_page+0x4a/0x50 
Call Trace: hugetlb_mcopy_atomic_pte+0xc0/0x320 
            mcopy_atomic+0x96f/0xbe0 
            userfaultfd_ioctl+0x218/0xe90 
            do_vfs_ioctl+0xa5/0x600
            SyS_ioctl+0x79/0x90
            entry_SYSCALL_64_fastpath+0x1a/0xa9

References:

https://marc.info/?l=linux-mm&m=150169274317930

An upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5af10dfd0afc559bb4b0f7e3e8227a1578333995
Comment 2 Wade Mealing 2018-01-22 09:01:07 UTC 
Statement:
This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5 and 6 and kernel-alt.

This issue affects the Linux kernel packages as shipped with Red Hat
Enterprise Linux 7, MRG-2 and kernel-rt  prior to version kernel-3.10.0-781.
Comment 6 Wade Mealing 2018-02-14 06:07:30 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1545040]
Comment 7 Justin M. Forbes 2018-02-14 14:39:35 UTC 
This was fixed for Fedora with the 4.13 rebases.
Comment 8 errata-xmlrpc 2018-04-10 08:14:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0676 https://access.redhat.com/errata/RHSA-2018:0676
Comment 9 errata-xmlrpc 2018-04-10 09:37:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:1062 https://access.redhat.com/errata/RHSA-2018:1062
Note You need to log in before you can comment on or make changes to this bug.