Bug 895955 - (CVE-2014-0205) VUL-0: CVE-2014-0205: kernel: futex: refcount issue in case of requeue
VUL-0: CVE-2014-0205: kernel: futex: refcount issue in case of requeue
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Major
: ---
Assigned To: E-mail List
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2014-09-10 06:42 UTC by Marcus Meissner
Modified: 2016-04-27 19:11 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2014-09-10 06:42:23 UTC
via rh bugzilla

A flaw was found in the way the Linux kernel's futex subsystem handled reference counting when requeuing futexes during futex_wait(). A local, unprivileged user could use this flaw to zero out the reference counter of an inode or an mm struct that backs up the memory area of the futex, which could lead to a use-after-free flaw, resulting in a system crash or, potentially, privilege escalation.


Upstream fix:


The security impact of this issue was discovered by Mateusz Guzik of Red Hat.
Comment 1 Michal Hocko 2014-09-10 08:32:55 UTC
Quite an old one, isn't it?

Anyway the patch has been merged in 2.6.37 which makes it LTSS material.
SLE11-SP1-{TD,LTSS} already have it.
SLES10-* looks affected.
Comment 2 Michal Hocko 2014-09-10 08:47:51 UTC
Now that I am looking at the code it looks too differently in SLES10 so it might be possible that it is not affected after all. The commit message is quite unhelpful unfortunately... I will try to understand the code...

Anyway, do we have any additional information? E.g. do we have a code which triggers any of the described issues?
Comment 3 Marcus Meissner 2014-09-10 11:43:05 UTC
Yes, quite old ... 

So, SLES 11 SP2, SP3 or newer are not affected.

I have no more information currently.
Comment 4 Michal Hocko 2014-09-10 16:54:20 UTC
I was staring into the code (SLE10-SP4) some more and now I am inclined that it is not affected. The main problem seem to come from futex_wait_setup and that one has been introduced later by f801073f87aa2 (around 2.6.31).

Anyway I do not feel strongly about this so I have contacted Darren as the code
author to help me understand all the consequences.
Comment 5 SMASH SMASH 2014-09-10 19:30:21 UTC
Affected packages:

SLE-10-SP3-TERADATA: kernel-source
SLE-11-SP1-TERADATA: kernel-source
Comment 6 Swamp Workflow Management 2014-09-10 22:00:12 UTC
bugbot adjusting priority
Comment 7 Michal Hocko 2014-09-11 06:52:53 UTC
Here is the answer from Darren:
The most recent CVE dealt with the requeue_pi path, which (fortunately)
you don't have to worry about :-)

As for this key counting... It definitely changed a lot with the
refactoring you mentioned. I looked through the 2.6.12 and didn't see
anything obvious, but the key ref counting at that time had a number of
implicit or nested get/drop calls. If you want to be sure, it needs a
proper audit.

I read this as SLES10 (or older than f801073f87aa2) are not affected by this particular CVE. There is still room for an audit to make absolute certainty whether there are some other issues left. I am definitely not an expert on futex so I do not feel qualified to do such an audit. How shall we proceed? Is there anybody who cares about <2.6.32 kernels besides us? Do we care enough considering "Darren is not seeing anything obvious" since 2.6.12?
Comment 8 Marcus Meissner 2014-09-11 16:22:44 UTC
I think we can leave SLES 10 as-is without review for now.
Comment 9 Marcus Meissner 2014-09-12 08:51:46 UTC
so I think we can close it as "notaffected"