[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE Request -- kernel: mm: read_pmd_atomic: 32bit PAE pmd walk vs pmd_populate SM
From: Petr Matousek <pmatouse () redhat ! com>
Date: 2012-05-24 18:08:05
Message-ID: 20120524180804.GM20735 () dhcp-25-225 ! brq ! redhat ! com
[Download RAW message or body]
On Thu, May 24, 2012 at 11:03:00AM -0700, akuster wrote:
> is 1a5a9906d4e8d1976b701f889d8f35d54b928f25 the upstream fix?
no, that is CVE-2012-1179.
petr
>
> -armin
>
> On 05/18/2012 02:37 AM, Petr Matousek wrote:
> > When holding the mmap_sem for reading, pmd_offset_map_lock should only
> > run on a pmd_t that has been read atomically from the pmdp
> > pointer, otherwise we may read only half of it leading to this crash.
> >
> > PID: 11679 TASK: f06e8000 CPU: 3 COMMAND: "do_race_2_panic"
> > #0 [f06a9dd8] crash_kexec at c049b5ec
> > #1 [f06a9e2c] oops_end at c083d1c2
> > #2 [f06a9e40] no_context at c0433ded
> > #3 [f06a9e64] bad_area_nosemaphore at c043401a
> > #4 [f06a9e6c] __do_page_fault at c0434493
> > #5 [f06a9eec] do_page_fault at c083eb45
> > #6 [f06a9f04] error_code (via page_fault) at c083c5d5
> > EAX: 01fb470c EBX: fff35000 ECX: 00000003 EDX: 00000100 EBP:
> > 00000000
> > DS: 007b ESI: 9e201000 ES: 007b EDI: 01fb4700 GS: 00e0
> > CS: 0060 EIP: c083bc14 ERR: ffffffff EFLAGS: 00010246
> > #7 [f06a9f38] _spin_lock at c083bc14
> > #8 [f06a9f44] sys_mincore at c0507b7d
> > #9 [f06a9fb0] system_call at c083becd
> > start len
> > EAX: ffffffda EBX: 9e200000 ECX: 00001000 EDX: 6228537f
> > DS: 007b ESI: 00000000 ES: 007b EDI: 003d0f00
> > SS: 007b ESP: 62285354 EBP: 62285388 GS: 0033
> > CS: 0073 EIP: 00291416 ERR: 000000da EFLAGS: 00000286
> >
> > This should be a longstanding bug affecting x86 32bit PAE without
> > THP. Only archs with 64bit large pmd_t and 32bit unsigned long should
> > be affected.
> >
> > An unprivileged local user could use this flaw to crash the system.
> >
> > Proposed fix:
> > http://permalink.gmane.org/gmane.linux.kernel.mm/78590
> >
> > References:
> > https://bugzilla.redhat.com/show_bug.cgi?id=822821
> > http://permalink.gmane.org/gmane.linux.kernel.mm/78590
> >
> > Thanks,
--
Petr Matousek / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic