Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 87913 - Kernel: "is_hugepage_only_range()" Denial of Service (CAN-2005-0916)
Summary: Kernel: "is_hugepage_only_range()" Denial of Service (CAN-2005-0916)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/14718/
Whiteboard: [linux < 2.6.12]
Keywords:
Depends on:
Blocks:
 
Reported: 2005-04-04 07:44 UTC by Jean-François Brunette (RETIRED)
Modified: 2009-05-03 15:10 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
patch to rectify CAN-2005-0916 (arch-ppc64-hugepage-aio-panic.patch,7.76 KB, patch)
2005-04-11 12:12 UTC, Kerin Millar
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jean-François Brunette (RETIRED) gentoo-dev 2005-04-04 07:44:55 UTC
Description:
Daniel McNeil has reported a vulnerability in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

The vulnerability is caused due to an error in the AIO (Asynchronous I/O) support within the "is_hugepage_only_range()" function. This can be exploited via a specially crafted program calling the "io_queue_init()" function and then exiting without calling the "io_queue_release()" function.

Successful exploitation crashes the system on PPC64 and IA64 architectures, but requires that CONFIG_HUGETLB_PAGE is enabled.

The vulnerability has been reported in versions 2.6.8 and 2.6.11. Other versions may also be affected.

Solution:
Grant only trusted users access to affected systems.
Comment 1 Kerin Millar 2005-04-11 12:10:40 UTC
Daniel McNiel also came up with a patch which I shall attach here (lifted verbatim from Debian's patchset). Reference:

http://linux.bkbits.net:8080/linux-2.6/cset@4248c8c0es30_4YVdwa6vteKi7h_nw
Comment 2 Kerin Millar 2005-04-11 12:12:06 UTC
Created attachment 56012 [details, diff]
patch to rectify CAN-2005-0916

This instance was taken from debian-2.6.11-2. Also available from:
http://linux.bkbits.net:8080/linux-2.6/cset@4248c8c0es30_4YVdwa6vteKi7h_nw
Comment 3 Joshua Kinard gentoo-dev 2005-04-23 22:29:43 UTC
mips-sources fixed.
Comment 4 solar (RETIRED) gentoo-dev 2005-05-02 07:47:02 UTC
Kumba does this effect the mips arch? 
The advisory only mentions ia64 and ppc64 
Comment 5 Tim Yamin (RETIRED) gentoo-dev 2005-05-05 13:36:16 UTC
Kernel maintainers: This affects 2.6.11 so gentoo-sources et al. still need patching.
Comment 6 Daniel Drake (RETIRED) gentoo-dev 2005-05-10 15:51:04 UTC
Fixed in gentoo-sources-2.6.11-r8
Comment 7 Markus Rothe (RETIRED) gentoo-dev 2005-05-11 09:35:46 UTC
stable on ppc64
Comment 8 Aron Griffis (RETIRED) gentoo-dev 2005-05-11 19:36:26 UTC
stable on ia64
Comment 9 Joshua Kinard gentoo-dev 2005-05-17 21:06:54 UTC
solar: Because the patch touches files in mm/ and include/linux/, I felt it
prudent to add it into our patchset anyways.  While the chances of it affecting
us are incredibly slim, if none at all, it shouldn't hurt things to include it
on the offchance.
Comment 10 Tim Yamin (RETIRED) gentoo-dev 2005-11-26 03:06:53 UTC
All fixed, closing bug.