Bug 100718 (CVE-2005-0916)

Summary: VUL-0: CVE-2005-0916: kernel: missed patch for hugetlb problem / CAN-2005-0916
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Marcus Meissner <meissner>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: gp, klaus, security-team, smueller
Version: unspecified   
Target Milestone: ---   
Hardware: PowerPC-64   
OS: All   
Whiteboard: CVE-2005-0916: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: hugepage-secfix-CAN-2005-0916.patch
ppc64-hugepage-secfix-CAN-2005-0916.patch
ppc64-hugepage-secfix-CAN-2005-0916.patch

Description Marcus Meissner 2005-08-04 12:54:08 UTC 
There is a CAN-2005-0916 entry which states:  
AIO in the Linux kernel 2.6.11 on the PPC64 or IA64 architectures with  
CONFIG_HUGETLB_PAGE enabled allows local users to cause a denial of service  
(system panic) via a process that executes the io_queue_init function but  
exits without running io_queue_release, which causes exit_aio and  
is_hugepage_only_range to fail.  
  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0916  
  
While this entry does only say 2.6.11 I think (after reviewing kernel CVS)  
that we this support in our SLES 9 kernel.  
  
So we need to fix this for SLES 9.  
  
I do not really know who is doing hugepage stuff... Andrea? Andi?
Comment 1 Marcus Meissner 2005-08-04 12:55:19 UTC 
Created attachment 44804 [details]
hugepage-secfix-CAN-2005-0916.patch

patch referenced in CAN entry.
Comment 2 Marcus Meissner 2005-08-04 13:12:51 UTC 
   4 local root user 
  +1 default package 
  +1 default active 
  -1 DoS 
 
Total Score: 5 (Moderate)
Comment 3 Roman Drahtmueller 2005-08-04 16:34:36 UTC 
Adding the evaluators to Cc:.
Comment 4 Marcus Meissner 2005-08-15 14:37:07 UTC 
Andreas Schwab / Andi Kleen ... can you please review 
and backport to SLES 9 ?
Comment 5 Andreas Schwab 2005-08-15 16:09:49 UTC 
100% no-op on ia64.
Comment 6 Olaf Kirch 2005-08-16 09:44:37 UTC 
Andi, is it safe to include this patch in the next security update? 
Please comment and assign back to me. Thanks!
Comment 7 Andreas Kleen 2005-08-16 13:12:07 UTC 
The patch only affects PPC64. It looks safe to me.
Comment 8 Olaf Kirch 2005-08-16 13:20:10 UTC 
Ugh, sorry. For some reason I read x86_64 not ppc64. 
Reassigning to the PPC team. 
Folks, if you think this patch is safe for the next update please 
coordinate with Marcus.
Comment 9 Olaf Hering 2005-08-16 14:04:23 UTC 
its now in sp2/3 branch, compile tested. closing.

+- add patches.arch/ppc64-hugepage-secfix-CAN-2005-0916.patch
+  fix possible oops on ppc64 in AIO hugepage handling (100718)
Comment 12 Marcus Meissner 2005-08-24 11:26:35 UTC 
we can postpone to sp3 too.
Comment 15 Marcus Meissner 2005-08-24 16:20:24 UTC 
Created attachment 47437 [details]
ppc64-hugepage-secfix-CAN-2005-0916.patch

using _mm suffix instead of __
Comment 16 Marcus Meissner 2005-08-24 17:00:36 UTC 
asked olh to review and apply. 
 
okir, perhaps you can also have a look.
Comment 17 Marcus Meissner 2005-08-24 17:07:09 UTC 
Created attachment 47442 [details]
ppc64-hugepage-secfix-CAN-2005-0916.patch

missed the assm-ia64/page.h hunk
Comment 18 Olaf Hering 2005-08-25 06:21:11 UTC 
new version commited

+- update patches.arch/ppc64-hugepage-secfix-CAN-2005-0916.patch
+  preserve the is_hugepage_only_range API (100718)
Comment 19 Olaf Kirch 2005-08-25 06:47:00 UTC 
Some nitpicks: 
 
include/asm-ppc64/page.h 
	touches_hugepage_low_range is removed; how will this compile on 
	ppc64? 
 
mm/mmap.c 
	the last two chunks of the original patch are gone. 
	Is this intentional? 
 
-@@ -584,7 +584,7 @@ 
-               vma = find_vma(mm, addr); 
-               if (TASK_SIZE - len >= addr && 
-                               (!vma || addr + len <= vma->vm_start) 
--                              && !is_hugepage_only_range(addr,len)) 
-+                              && !is_hugepage_only_range(mm, addr,len)) 
-                       return addr; 
-       } 
- 
-@@ -597,7 +597,7 @@ 
-       addr = (mm->free_area_cache - len) & PAGE_MASK; 
-       do { 
- hugepage_recheck: 
--              if (touches_hugepage_low_range(addr, len)) { 
-+              if (touches_hugepage_low_range(mm, addr, len)) { 
-                       addr = (addr & ((~0) << SID_SHIFT)) - len; 
-                       goto hugepage_recheck; 
-               } else if (touches_hugepage_high_range(addr, len)) {
Comment 20 Marcus Meissner 2005-08-25 08:37:49 UTC 
question 1:  
all uses of touches_hugepage_low_range now use touches_hugepage_low_range_mm  
this seemed to be an internal ppc macro.  
  
question 2:  
only 1 hunk of mm/mmap.c is diff is gone, there i left  is_hugepage_only_range 
as-is (calling to the old macro that uses current->mm
Comment 21 Olaf Kirch 2005-08-25 08:47:57 UTC 
Ah, the first patch attached below is vs 2.6.11, and the other one is vs. 
2.6.5. That explains the difference between the two.
Comment 22 Marcus Meissner 2005-09-01 14:41:17 UTC 
updates released + advisory.
Comment 23 Thomas Biege 2009-10-13 21:18:21 UTC 
CVE-2005-0916: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P)