Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 182198

Summary: Kernel: skip data conversion in compat_sys_mount when data_page is NULL (CVE-2006-7203)
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: KernelAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=822191a2fa1584a29c3224ab328507adcaeac1ab
Whiteboard: [linux < 2.6.16.38][linux >= 2.6.17 < 2.6.18.6][linux >= 2.6.19 < 2.6.19.1][gp < 2.6.18-7][gp >= 2.6.19-1 < 2.6.19-3]
Package list:
Runtime testing required: ---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-06-16 07:10:10 UTC 
[PATCH] skip data conversion in compat_sys_mount when data_page is NULL
 
 OpenVZ Linux kernel team has found a problem with mounting in compat mode.
 
 Simple command "mount -t smbfs ..." on Fedora Core 5 distro in 32-bit mode
 leads to oops:
 
   Unable to handle kernel NULL pointer dereference at 0000000000000000 RIP: compat_sys_mount+0xd6/0x290
   Process mount (pid: 14656, veid=300, threadinfo ffff810034d30000, task ffff810034c86bc0)
   Call Trace: ia32_sysret+0x0/0xa
 
 The problem is that data_page pointer can be NULL, so we should skip data
 conversion in this case.
 
 Signed-off-by: Andrey Mirkin <amirkin@openvz.org>
 Cc: <stable@kernel.org>
 Signed-off-by: Andrew Morton <akpm@osdl.org>
 Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Comment 1 unnamedrambler 2008-03-21 19:39:52 UTC 
[linux < 2.6.21.2] 041f08ecb28db5be31e6de339c7abb3fe369ec53

also on 2.6.22 as c483bab099cb89e92b7cad94a52fcdaf37e56657

[gp < 2.6.21-3]
Comment 2 unnamedrambler 2008-03-21 19:45:36 UTC 
Egh, terribly sorry for the spam. I submitted the previous entry to the wrong bug.. too many bugzilla tabs open.

the correct data is
[linux < 2.6.16.38] f701db35660a6017bef6d6e911d095bcf8b74010
[linux >= 2.6.17 < 2.6.18.6] 80dc4d3acce8103ad87e14ca8ae6b10a2785c5e5
[linux >= 2.6.19 < 2.6.19.1] 1157f82831d3745a61b897d9f8a38886c586d09f
also in 2.6.20 as 822191a2fa1584a29c3224ab328507adcaeac1ab

[gp < 2.6.18-7][gp >= 2.6.19-1 < 2.6.19-3]