Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4F578E2E.3000208@redhat.com>
Date: Wed, 07 Mar 2012 09:34:54 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request -- kernel: mm: memcg: unregistring
 of events attached to the same eventfd can lead to oops

On 03/07/2012 03:57 AM, Petr Matousek wrote:
> There is an issue when memcg unregisters events that were attached to
> the same eventfd:
> 
> - On the first call mem_cgroup_usage_unregister_event() removes all
>   events attached to a given eventfd, and if there were no events left,
>   thresholds->primary would become NULL;
> 
> - Since there were several events registered, cgroups core will call
>   mem_cgroup_usage_unregister_event() again, but now kernel will oops,
>   as the function doesn't expect that threshold->primary may be NULL.
> 
>  BUG: unable to handle kernel NULL pointer dereference at
> 0000000000000004
>  IP: [<ffffffff810be32c>] mem_cgroup_usage_unregister_event+0x9c/0x1f0
>  Pid: 574, comm: kworker/0:2 Not tainted 3.3.0-rc4+ #9 Bochs Bochs
>  RIP: 0010:[<ffffffff810be32c>]  [<ffffffff810be32c>]
> mem_cgroup_usage_unregister_event+0x9c/0x1f0
>  RSP: 0018:ffff88001d0b9d60  EFLAGS: 00010246
>  Process kworker/0:2 (pid: 574, threadinfo ffff88001d0b8000, task
> ffff88001de91cc0)
>  Call Trace:
>   [<ffffffff8107092b>] cgroup_event_remove+0x2b/0x60
>   [<ffffffff8103db94>] process_one_work+0x174/0x450
>   [<ffffffff8103e413>] worker_thread+0x123/0x2d0
> 
> A local attacker able to register threshold events could use this flaw
> to crash the system.
> 
> The earliest commit that *might* introduce this issue is 2e72b634 in
> 2.6.34-rc2. I haven't tested it though and the code isi slightly
> different.
> 
> On the current kernels without the fix I'm able to reproduce the bug
> easily.
> 
> Upstream commit:
> 371528c (3.3-rc5)
> 
> References:
> https://bugzilla.redhat.com/show_bug.cgi?id=800813
> http://git.kernel.org/linus/371528c
> 
> Thanks,

Please use CVE-2012-1146 for this issue.

-- 
Kurt Seifried Red Hat Security Response Team (SRT)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.