oss-security - Re: CVE request: kernel: thp: madvise on top of /dev/zero private mapping can lead to panic

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Date: Mon, 20 Jun 2011 15:11:27 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE request: kernel: thp: madvise on top of
 /dev/zero private mapping can lead to panic

----- Original Message -----
> Description of problem:
> The huge_memory.c THP page fault was allowed to run if vm_ops was null
> (which would succeed for /dev/zero MAP_PRIVATE, as the f_op->mmap
> wouldn't setup a special vma->vm_ops and it would fallback to regular
> anonymous memory) but other THP logics weren't fully activated for
> vmas with vm_file not NULL (/dev/zero has a not NULL vma->vm_file).
> 
> Unprivileged local user could use this flaw to crash the server.
> 
> Upstream patch: 78f11a255749d09025f54d4e2df4fbcb031530e2
> 
> References:
> https://bugzilla.redhat.com/show_bug.cgi?id=714761
> https://bugzilla.kernel.org/show_bug.cgi?id=33682
> http://www.spinics.net/lists/stable-commits/msg11762.html
> 

Please use CVE-2011-2479.

Thanks.

-- 
    JB

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.