Bugzilla – Bug 100718
VUL-0: CVE-2005-0916: kernel: missed patch for hugetlb problem / CAN-2005-0916
Last modified: 2021-11-20 16:25:06 UTC
There is a CAN-2005-0916 entry which states: AIO in the Linux kernel 2.6.11 on the PPC64 or IA64 architectures with CONFIG_HUGETLB_PAGE enabled allows local users to cause a denial of service (system panic) via a process that executes the io_queue_init function but exits without running io_queue_release, which causes exit_aio and is_hugepage_only_range to fail. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0916 While this entry does only say 2.6.11 I think (after reviewing kernel CVS) that we this support in our SLES 9 kernel. So we need to fix this for SLES 9. I do not really know who is doing hugepage stuff... Andrea? Andi?
Created attachment 44804 [details] hugepage-secfix-CAN-2005-0916.patch patch referenced in CAN entry.
4 local root user +1 default package +1 default active -1 DoS Total Score: 5 (Moderate)
Adding the evaluators to Cc:.
Andreas Schwab / Andi Kleen ... can you please review and backport to SLES 9 ?
100% no-op on ia64.
Andi, is it safe to include this patch in the next security update? Please comment and assign back to me. Thanks!
The patch only affects PPC64. It looks safe to me.
Ugh, sorry. For some reason I read x86_64 not ppc64. Reassigning to the PPC team. Folks, if you think this patch is safe for the next update please coordinate with Marcus.
its now in sp2/3 branch, compile tested. closing. +- add patches.arch/ppc64-hugepage-secfix-CAN-2005-0916.patch + fix possible oops on ppc64 in AIO hugepage handling (100718)
we can postpone to sp3 too.
Created attachment 47437 [details] ppc64-hugepage-secfix-CAN-2005-0916.patch using _mm suffix instead of __
asked olh to review and apply. okir, perhaps you can also have a look.
Created attachment 47442 [details] ppc64-hugepage-secfix-CAN-2005-0916.patch missed the assm-ia64/page.h hunk
new version commited +- update patches.arch/ppc64-hugepage-secfix-CAN-2005-0916.patch + preserve the is_hugepage_only_range API (100718)
Some nitpicks: include/asm-ppc64/page.h touches_hugepage_low_range is removed; how will this compile on ppc64? mm/mmap.c the last two chunks of the original patch are gone. Is this intentional? -@@ -584,7 +584,7 @@ - vma = find_vma(mm, addr); - if (TASK_SIZE - len >= addr && - (!vma || addr + len <= vma->vm_start) -- && !is_hugepage_only_range(addr,len)) -+ && !is_hugepage_only_range(mm, addr,len)) - return addr; - } - -@@ -597,7 +597,7 @@ - addr = (mm->free_area_cache - len) & PAGE_MASK; - do { - hugepage_recheck: -- if (touches_hugepage_low_range(addr, len)) { -+ if (touches_hugepage_low_range(mm, addr, len)) { - addr = (addr & ((~0) << SID_SHIFT)) - len; - goto hugepage_recheck; - } else if (touches_hugepage_high_range(addr, len)) {
question 1: all uses of touches_hugepage_low_range now use touches_hugepage_low_range_mm this seemed to be an internal ppc macro. question 2: only 1 hunk of mm/mmap.c is diff is gone, there i left is_hugepage_only_range as-is (calling to the old macro that uses current->mm
Ah, the first patch attached below is vs 2.6.11, and the other one is vs. 2.6.5. That explains the difference between the two.
updates released + advisory.
CVE-2005-0916: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P)