Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux (RPM package) Pro for Mac OS X (dmg package) Wordlists   for password cracking passwdqc   policy enforcement phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login Services Publications Articles Presentations Community Mailing lists Community wiki Donations Resources Source code repository (CVSweb) File archive & mirrors How to verify digital signatures Password recovery resources Recommended books What's new

Date: Fri, 18 May 2012 11:38:03 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com, Petr Matousek <pmatouse@...hat.com>
Subject: Re: CVE Request -- kernel: mm: read_pmd_atomic: 32bit
 PAE pmd walk vs pmd_populate SMP race condition

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/18/2012 03:37 AM, Petr Matousek wrote:
> When holding the mmap_sem for reading, pmd_offset_map_lock should
> only run on a pmd_t that has been read atomically from the pmdp 
> pointer, otherwise we may read only half of it leading to this
> crash.
> 
> PID: 11679  TASK: f06e8000  CPU: 3   COMMAND: "do_race_2_panic" #0
> [f06a9dd8] crash_kexec at c049b5ec #1 [f06a9e2c] oops_end at
> c083d1c2 #2 [f06a9e40] no_context at c0433ded #3 [f06a9e64]
> bad_area_nosemaphore at c043401a #4 [f06a9e6c] __do_page_fault at
> c0434493 #5 [f06a9eec] do_page_fault at c083eb45 #6 [f06a9f04]
> error_code (via page_fault) at c083c5d5 EAX: 01fb470c EBX: fff35000
> ECX: 00000003 EDX: 00000100 EBP: 00000000 DS:  007b     ESI:
> 9e201000 ES:  007b     EDI: 01fb4700 GS:  00e0 CS:  0060     EIP:
> c083bc14 ERR: ffffffff EFLAGS: 00010246 #7 [f06a9f38] _spin_lock at
> c083bc14 #8 [f06a9f44] sys_mincore at c0507b7d #9 [f06a9fb0]
> system_call at c083becd start           len EAX: ffffffda  EBX:
> 9e200000  ECX: 00001000  EDX: 6228537f DS:  007b      ESI: 00000000
> ES:  007b      EDI: 003d0f00 SS:  007b      ESP: 62285354  EBP:
> 62285388  GS:  0033 CS:  0073      EIP: 00291416  ERR: 000000da
> EFLAGS: 00000286
> 
> This should be a longstanding bug affecting x86 32bit PAE without 
> THP. Only archs with 64bit large pmd_t and 32bit unsigned long
> should be affected.
> 
> An unprivileged local user could use this flaw to crash the
> system.
> 
> Proposed fix: 
> http://permalink.gmane.org/gmane.linux.kernel.mm/78590
> 
> References: https://bugzilla.redhat.com/show_bug.cgi?id=822821 
> http://permalink.gmane.org/gmane.linux.kernel.mm/78590
> 
> Thanks,


Please use CVE-2012-2373 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPtoj7AAoJEBYNRVNeJnmTC9QQAM+wtUMuK8tpvoxLKGvSMVoV
cfFAiuSJ0gkN8iOyvOJpnst5Nyym+B71OsNthu8E+V/TbBEX47WjNeG4WfBtoYTb
6DBJ381Xkuuc+H89MBDEMSSzMcrz/28UaHdGCRCesSIj8iT/7f+rGyX2tqVSsD2s
xaXpAZcm5VQwsRVqGLMqGY4nFzqqylfZ7h/Csw7YAzTa6u8xALiAvjPy7VXDbdwJ
06zkKzDxhqgJCNJXftpXPhbhg3cUvcbCgi6EymX071dwjgp54xKPlYUdy6jz5QFD
pg1Zi05wzPVdH2rVQYTyxkSJ/IgS7B9nGtIBwqszBjnV5nLyHXfYfmoGvsuWe9v0
liCRXtLlsDLGKBu1gjYXASFpnGG2C/sZ4pu4cPIj5X2dHkExg6ToERzhDxH6WR9I
aldmQ5EHlBY95NDGkk9HCD3uDIV7UMG28ZyYTuGFsdA/6jD/SBAv3Z4Niykog5zX
39oKXQGDyAk+zFefLzEu+bWdf1CK04cN9ELV8pp++sB4XuzDw8KBS0CQpkWUkumy
nhkW4gHuc4qfjtidzvaN/KhhF2JzGBe/BpHLbf7d8CRKu2YYXMRhyLyZMHYTluuX
f6jCtLuGiWoVO3gshmgFAiFNgwuFDhGFaFeqtVXL7RprauYCtQFhJXDixaH1iE6i
FPAxG/6H77WeUNrcprCV
=J+W8
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ