[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE Request -- kernel: request_module() OOM local DoS
From:       Petr Matousek <pmatouse () redhat ! com>
Date:       2012-08-31 16:40:28
Message-ID: 20120831164028.GF19175 () dhcp-25-225 ! brq ! redhat ! com
[Download RAW message or body]

As Tetsuo Handa pointed out, request_module() can stress the system
while the oom-killed caller sleeps in TASK_UNINTERRUPTIBLE.

The task T uses "almost all" memory, then it does something which
triggers request_module().  Say, it can simply call sys_socket().  This
in turn needs more memory and leads to OOM.  oom-killer correctly
chooses T and kills it, but this can't help because it sleeps in
TASK_UNINTERRUPTIBLE and after that oom-killer becomes "disabled" by the
TIF_MEMDIE task T.

A local unprivileged user can make the system unusable.

Upstream fixes:
(1) 70834d30 "usermodehelper: use UMH_WAIT_PROC consistently"
(2) b3449922 "usermodehelper: introduce umh_complete(sub_info)"
(3) d0bd587a "usermodehelper: implement UMH_KILLABLE"
(4) 9d944ef3 "usermodehelper: kill umh_wait, renumber UMH_* constants"
(5) 5b9bd473 "usermodehelper: ____call_usermodehelper() doesn't need
do_exit()"
(6) 3e63a93b "kmod: introduce call_modprobe() helper"
(7) 1cc684ab "kmod: make __request_module() killable"

According to the reporter, (1) and (4) are optional and safer to
exclude.

Acknowledgements:

Red Hat would like to thank Tetsuo Handa for reporting this issue.

References:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/963685
https://bugzilla.redhat.com/show_bug.cgi?id=853474

Thanks,
-- 
Petr Matousek / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]