Bugzilla – Bug 895955
VUL-0: CVE-2014-0205: kernel: futex: refcount issue in case of requeue
Last modified: 2016-04-27 19:11:30 UTC
via rh bugzilla A flaw was found in the way the Linux kernel's futex subsystem handled reference counting when requeuing futexes during futex_wait(). A local, unprivileged user could use this flaw to zero out the reference counter of an inode or an mm struct that backs up the memory area of the futex, which could lead to a use-after-free flaw, resulting in a system crash or, potentially, privilege escalation. References: https://lkml.org/lkml/2010/9/16/99 Upstream fix: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7ada876a8703f23befbb20a7465a702ee39b1704 Acknowledgements: The security impact of this issue was discovered by Mateusz Guzik of Red Hat.
Quite an old one, isn't it? Anyway the patch has been merged in 2.6.37 which makes it LTSS material. SLE11-SP1-{TD,LTSS} already have it. SLES10-* looks affected.
Now that I am looking at the code it looks too differently in SLES10 so it might be possible that it is not affected after all. The commit message is quite unhelpful unfortunately... I will try to understand the code... Anyway, do we have any additional information? E.g. do we have a code which triggers any of the described issues?
Yes, quite old ... So, SLES 11 SP2, SP3 or newer are not affected. I have no more information currently.
I was staring into the code (SLE10-SP4) some more and now I am inclined that it is not affected. The main problem seem to come from futex_wait_setup and that one has been introduced later by f801073f87aa2 (around 2.6.31). Anyway I do not feel strongly about this so I have contacted Darren as the code author to help me understand all the consequences.
Affected packages: SLE-10-SP3-TERADATA: kernel-source SLE-11-SP1-TERADATA: kernel-source
bugbot adjusting priority
Here is the answer from Darren: " The most recent CVE dealt with the requeue_pi path, which (fortunately) you don't have to worry about :-) As for this key counting... It definitely changed a lot with the refactoring you mentioned. I looked through the 2.6.12 and didn't see anything obvious, but the key ref counting at that time had a number of implicit or nested get/drop calls. If you want to be sure, it needs a proper audit. " I read this as SLES10 (or older than f801073f87aa2) are not affected by this particular CVE. There is still room for an audit to make absolute certainty whether there are some other issues left. I am definitely not an expert on futex so I do not feel qualified to do such an audit. How shall we proceed? Is there anybody who cares about <2.6.32 kernels besides us? Do we care enough considering "Darren is not seeing anything obvious" since 2.6.12?
I think we can leave SLES 10 as-is without review for now.
so I think we can close it as "notaffected"