Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 18 May 2012 11:38:03 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com, Petr Matousek <pmatouse@...hat.com>
Subject: Re: CVE Request -- kernel: mm: read_pmd_atomic: 32bit
 PAE pmd walk vs pmd_populate SMP race condition

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/18/2012 03:37 AM, Petr Matousek wrote:
> When holding the mmap_sem for reading, pmd_offset_map_lock should
> only run on a pmd_t that has been read atomically from the pmdp 
> pointer, otherwise we may read only half of it leading to this
> crash.
> 
> PID: 11679  TASK: f06e8000  CPU: 3   COMMAND: "do_race_2_panic" #0
> [f06a9dd8] crash_kexec at c049b5ec #1 [f06a9e2c] oops_end at
> c083d1c2 #2 [f06a9e40] no_context at c0433ded #3 [f06a9e64]
> bad_area_nosemaphore at c043401a #4 [f06a9e6c] __do_page_fault at
> c0434493 #5 [f06a9eec] do_page_fault at c083eb45 #6 [f06a9f04]
> error_code (via page_fault) at c083c5d5 EAX: 01fb470c EBX: fff35000
> ECX: 00000003 EDX: 00000100 EBP: 00000000 DS:  007b     ESI:
> 9e201000 ES:  007b     EDI: 01fb4700 GS:  00e0 CS:  0060     EIP:
> c083bc14 ERR: ffffffff EFLAGS: 00010246 #7 [f06a9f38] _spin_lock at
> c083bc14 #8 [f06a9f44] sys_mincore at c0507b7d #9 [f06a9fb0]
> system_call at c083becd start           len EAX: ffffffda  EBX:
> 9e200000  ECX: 00001000  EDX: 6228537f DS:  007b      ESI: 00000000
> ES:  007b      EDI: 003d0f00 SS:  007b      ESP: 62285354  EBP:
> 62285388  GS:  0033 CS:  0073      EIP: 00291416  ERR: 000000da
> EFLAGS: 00000286
> 
> This should be a longstanding bug affecting x86 32bit PAE without 
> THP. Only archs with 64bit large pmd_t and 32bit unsigned long
> should be affected.
> 
> An unprivileged local user could use this flaw to crash the
> system.
> 
> Proposed fix: 
> http://permalink.gmane.org/gmane.linux.kernel.mm/78590
> 
> References: https://bugzilla.redhat.com/show_bug.cgi?id=822821 
> http://permalink.gmane.org/gmane.linux.kernel.mm/78590
> 
> Thanks,


Please use CVE-2012-2373 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPtoj7AAoJEBYNRVNeJnmTC9QQAM+wtUMuK8tpvoxLKGvSMVoV
cfFAiuSJ0gkN8iOyvOJpnst5Nyym+B71OsNthu8E+V/TbBEX47WjNeG4WfBtoYTb
6DBJ381Xkuuc+H89MBDEMSSzMcrz/28UaHdGCRCesSIj8iT/7f+rGyX2tqVSsD2s
xaXpAZcm5VQwsRVqGLMqGY4nFzqqylfZ7h/Csw7YAzTa6u8xALiAvjPy7VXDbdwJ
06zkKzDxhqgJCNJXftpXPhbhg3cUvcbCgi6EymX071dwjgp54xKPlYUdy6jz5QFD
pg1Zi05wzPVdH2rVQYTyxkSJ/IgS7B9nGtIBwqszBjnV5nLyHXfYfmoGvsuWe9v0
liCRXtLlsDLGKBu1gjYXASFpnGG2C/sZ4pu4cPIj5X2dHkExg6ToERzhDxH6WR9I
aldmQ5EHlBY95NDGkk9HCD3uDIV7UMG28ZyYTuGFsdA/6jD/SBAv3Z4Niykog5zX
39oKXQGDyAk+zFefLzEu+bWdf1CK04cN9ELV8pp++sB4XuzDw8KBS0CQpkWUkumy
nhkW4gHuc4qfjtidzvaN/KhhF2JzGBe/BpHLbf7d8CRKu2YYXMRhyLyZMHYTluuX
f6jCtLuGiWoVO3gshmgFAiFNgwuFDhGFaFeqtVXL7RprauYCtQFhJXDixaH1iE6i
FPAxG/6H77WeUNrcprCV
=J+W8
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ