Bug 405553 (CVE-2011-4325)

Summary:	linux < 2.6.31-rc6 kernel: nfs: diotest4 from LTP crash client null pointer deref (CVE-2011-4325)
Product:	Gentoo Security	Reporter:	Michael Harrison <n0idx80>
Component:	Kernel	Assignee:	Gentoo Kernel Security <security-kernel>
Status:	RESOLVED OBSOLETE
Severity:	minor	CC:	kernel
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://bugzilla.redhat.com/show_bug.cgi?id=755455
Whiteboard:	[linux < 2.6.31-rc6]
Package list:		Runtime testing required:	---

Description Michael Harrison 2012-02-24 10:35:37 UTC

diotest4 from LTP will crash client on NFS mount. Not a regression, 5.7 GA
kernel has the same issue.

Unable to handle kernel NULL pointer dereference at 0000000000000038 RIP:
 [<ffffffff887aed65>] :nfs:__put_nfs_open_context+0x7/0x93
PGD 16bba2067 PUD 14bcd1067 PMD 0
Oops: 0000 [1] SMP
last sysfs file: /devices/pci0000:00/0000:00:00.0/local_cpus
CPU 2
Modules linked in: nfs nfsd exportfs nfs_acl auth_rpcgss autofs4 hidp rfcomm
l2cap bluetooth lockd sunrpc cpufreq_ondemand acpi_cpufreq freq_table mperf
ipt_REJECT ip6t_REJECT xt_tcpudp ip6table_filter ip6_tables x_tables be2iscsi
ib_iser rdma_cm ib_cm iw_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp bnx2i cnic
ipv6 xfrm_nalgo crypto_api uio cxgb3i libcxgbi cxgb3 8021q libiscsi_tcp
libiscsi2 scsi_transport_iscsi2 scsi_transport_iscsi dm_mirror dm_multipath
scsi_dh video backlight sbs power_meter hwmon i2c_ec dell_wmi wmi button
battery asus_acpi acpi_memhotplug ac parport_pc lp parport joydev i2c_i801
i2c_core ide_cd cdc_ether i7core_edac cdrom usbnet edac_mc tpm_tis tpm tpm_bios
bnx2 sg pcspkr dm_raid45 dm_message dm_region_hash dm_log dm_mod dm_mem_cache
ata_piix libata shpchp megaraid_sas sd_mod scsi_mod ext3 jbd uhci_hcd ohci_hcd
ehci_hcd
Pid: 4577, comm: diotest4 Not tainted 2.6.18-296.el5 #1
RIP: 0010:[<ffffffff887aed65>]  [<ffffffff887aed65>]
:nfs:__put_nfs_open_context+0x7/0x93
RSP: 0018:ffff810153cc1d28  EFLAGS: 00010246
RAX: ffff81014df95b10 RBX: ffff81014df95840 RCX: ffff81017fe5e608
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff81014df95840 R08: ffff81014df95840 R09: 0000000000000000
R10: ffff81014df95840 R11: 0000000000000310 R12: 0000000000000000
R13: 0000000000001000 R14: ffff81014aff9218 R15: ffff81014ced68c0
FS:  00002b51e08b3af0(0000) GS:ffff810105524ec0(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000038 CR3: 000000014a8fb000 CR4: 00000000000006a0
Process diotest4 (pid: 4577, threadinfo ffff810153cc0000, task
ffff81017fc877a0)
Stack:  ffff81014df95840 ffff81014df95840 ffff81014ced6898 ffffffff887b4459
 fffffffffffffff4 ffffffff887ccca6 ffff810153cc1e68 0000000000001000
 ffff810153cc1e08 ffff81014a335a00 0000000000001000 0000000000008000
Call Trace:
 [<ffffffff887b4459>] :nfs:nfs_readdata_release+0x10/0x16
 [<ffffffff887ccca6>] :nfs:nfs_file_direct_read+0x1b8/0x52f
 [<ffffffff8000cf47>] do_sync_read+0xc7/0x104
 [<ffffffff887aef81>] :nfs:nfs_open+0x10b/0x125
 [<ffffffff800a3346>] autoremove_wake_function+0x0/0x2e
 [<ffffffff8000b72f>] vfs_read+0xcb/0x171
 [<ffffffff80011d15>] sys_read+0x45/0x6e
 [<ffffffff8005d28d>] tracesys+0xd5/0xe0


Code: 48 8b 47 38 48 89 fb 48 8b 68 10 48 8d b5 b4 00 00 00 e8 c9
RIP  [<ffffffff887aed65>] :nfs:__put_nfs_open_context+0x7/0x93
 RSP <ffff810153cc1d28>
CR2: 0000000000000038
 <0>Kernel panic - not syncing: Fatal exception

Upstream Commit:
http://git.kernel.org/linus/1ae88b2e4 (v2.6.31-rc6)

Comment 1 GLSAMaker/CVETool Bot gentoo-dev

2012-02-25 00:51:43 UTC

CVE-2011-4325 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4325):
  The NFS implementation in Linux kernel before 2.6.31-rc6 calls certain
  functions without properly initializing certain data, which allows local
  users to cause a denial of service (NULL pointer dereference and O_DIRECT
  oops), as demonstrated using diotest4 from LTP.

Comment 2 Aaron Bauman (RETIRED) gentoo-dev

2018-04-04 18:09:08 UTC

There are no longer any 2.x kernels available in the repository with the exception of sys-kernel/xbox-sources which is unsupported by security.