'Re: [oss-security] CVE Request -- kernel: mm: read_pmd_atomic: 32bit PAE pmd walk vs pmd_populate SM'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request -- kernel: mm: read_pmd_atomic: 32bit PAE pmd walk vs pmd_populate SM
From:       Petr Matousek <pmatouse () redhat ! com>
Date:       2012-05-24 18:08:05
Message-ID: 20120524180804.GM20735 () dhcp-25-225 ! brq ! redhat ! com
[Download RAW message or body]

On Thu, May 24, 2012 at 11:03:00AM -0700, akuster wrote:
> is 1a5a9906d4e8d1976b701f889d8f35d54b928f25 the upstream fix?

no, that is CVE-2012-1179.

petr

> 
> -armin
> 
> On 05/18/2012 02:37 AM, Petr Matousek wrote:
> > When holding the mmap_sem for reading, pmd_offset_map_lock should only
> > run on a pmd_t that has been read atomically from the pmdp
> > pointer, otherwise we may read only half of it leading to this crash.
> > 
> > PID: 11679  TASK: f06e8000  CPU: 3   COMMAND: "do_race_2_panic"
> >  #0 [f06a9dd8] crash_kexec at c049b5ec
> >  #1 [f06a9e2c] oops_end at c083d1c2
> >  #2 [f06a9e40] no_context at c0433ded
> >  #3 [f06a9e64] bad_area_nosemaphore at c043401a
> >  #4 [f06a9e6c] __do_page_fault at c0434493
> >  #5 [f06a9eec] do_page_fault at c083eb45
> >  #6 [f06a9f04] error_code (via page_fault) at c083c5d5
> >     EAX: 01fb470c EBX: fff35000 ECX: 00000003 EDX: 00000100 EBP:
> >     00000000
> >     DS:  007b     ESI: 9e201000 ES:  007b     EDI: 01fb4700 GS:  00e0
> >     CS:  0060     EIP: c083bc14 ERR: ffffffff EFLAGS: 00010246
> >  #7 [f06a9f38] _spin_lock at c083bc14
> >  #8 [f06a9f44] sys_mincore at c0507b7d
> >  #9 [f06a9fb0] system_call at c083becd
> >                          start           len
> >     EAX: ffffffda  EBX: 9e200000  ECX: 00001000  EDX: 6228537f
> >     DS:  007b      ESI: 00000000  ES:  007b      EDI: 003d0f00
> >     SS:  007b      ESP: 62285354  EBP: 62285388  GS:  0033
> >     CS:  0073      EIP: 00291416  ERR: 000000da  EFLAGS: 00000286
> > 
> > This should be a longstanding bug affecting x86 32bit PAE without
> > THP. Only archs with 64bit large pmd_t and 32bit unsigned long should
> > be affected.
> > 
> > An unprivileged local user could use this flaw to crash the system.
> > 
> > Proposed fix:
> > http://permalink.gmane.org/gmane.linux.kernel.mm/78590
> > 
> > References:
> > https://bugzilla.redhat.com/show_bug.cgi?id=822821
> > http://permalink.gmane.org/gmane.linux.kernel.mm/78590
> > 
> > Thanks,

-- 
Petr Matousek / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic