CVE-2007-4130: Input Validation
First published: Wed Feb 01 2006(Updated: )
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 Description of problem: The following simple reproducer causes a panic on ia64 when run as any user. Due to this I am considering this a security sensitive problem. This is another situation where bad arguments to set_mempolicy causes a system panic. I have verified this on ia64 running the latest kernel however it is likey not a recent regression. I have not had a chance to dig into the code to narrow down the issue but it is easily reproducable (on ia64 at least, would be interested in seeing if it can be hit elsewhere). VM: killing process a.out Unable to handle kernel NULL pointer dereference (address 0000000000000000) a.out[7796]: Oops 8847632629764 [1] Modules linked in: nfs lockd nfs_acl md5 ipv6 parport_pc lp parport autofs4 i2c_dev i2c_core sunrpc ds yenta_socket pcmcia_core scsi_dump diskdump zlib_deflate vfat fat dm_multipath button ohci_hcd ehci_hcd e1000 dm_snapshot dm_zero dm_mirror ext3 jbd dm _mod qla2300 qla2xxx lpfc scsi_transport_fc mptscsih mptsas mptspi mptfc mptscsi mptbase sd_mod scsi_mod Pid: 7796, CPU 0, comm: a.out psr : 0000101008126010 ifs : 800000000000cc18 ip : [<a00000010024e650>] Not tainted ip is at __copy_user+0xb0/0x940 unat: 0000000000000000 pfs : 0000000000000a99 rsc : 0000000000000003 rnat: 0000000000000001 bsps: 0000000000000000 pr : 00000001aa6a0b19 ldrs: 0000000000000000 ccv : 0000000000000000 fpsr: 0009804c0270033f csd : 0000000000000000 ssd : 0000000000000000 b0 : a0000001002fcfe0 b6 : a0000001002f7940 b7 : a0000001002fcc00 f6 : 0ffff8000000000000000 f7 : 000000000000000000000 f8 : 000000000000000000000 f9 : 000000000000000000000 f10 : 000000000000000000000 f11 : 000000000000000000000 r1 : a0000001009adda0 r2 : 0000000000000000 r3 : 00000000000c0221 r8 : 0000000000000000 r9 : ffffffffffffffff r10 : 0000000000000000 r11 : 00000001aa6a0a59 r12 : e00000002c0afd70 r13 : e00000002c0a8000 r14 : e00000002c0afde0 r15 : 0000000000000000 r16 : 0000000000000050 r17 : e00000002c0afde0 r18 : e00000002c0afde1 r19 : 0000000000000000 r20 : e00000002c0afde0 r21 : e00000002c0afdb8 r22 : a0000001006638d0 r23 : a0000001007ae9a8 r24 : e00000002c0afdd0 r25 : e00000002c0afdc8 r26 : 0000000000000000 r27 : 0000001008126010 r28 : 0000000000000000 r29 : 0000000000000000 r30 : 0000000000000008 r31 : 0000000000000a99 Call Trace: [<a000000100016b20>] show_stack+0x80/0xa0 sp=e00000002c0af900 bsp=e00000002c0a91e0 [<a000000100017430>] show_regs+0x890/0x8c0 sp=e00000002c0afad0 bsp=e00000002c0a9198 [<a00000010003dbb0>] die+0x150/0x240 sp=e00000002c0afaf0 bsp=e00000002c0a9158 [<a000000100061e80>] ia64_do_page_fault+0x8c0/0xbc0 sp=e00000002c0afaf0 bsp=e00000002c0a90f0 [<a00000010000f540>] ia64_leave_kernel+0x0/0x260 sp=e00000002c0afba0 bsp=e00000002c0a90f0 [<a00000010024e650>] __copy_user+0xb0/0x940 sp=e00000002c0afd70 bsp=e00000002c0a9030 [<a0000001002fcfe0>] write_chan+0x3e0/0xc20 sp=e00000002c0afd70 bsp=e00000002c0a8f80 [<a0000001002ed940>] tty_write+0x440/0x640 sp=e00000002c0afe20 bsp=e00000002c0a8f00 [<a0000001001202d0>] vfs_write+0x290/0x360 sp=e00000002c0afe20 bsp=e00000002c0a8eb0 [<a0000001001204f0>] sys_write+0x70/0xe0 sp=e00000002c0afe20 bsp=e00000002c0a8e38 [<a00000010000f3e0>] ia64_ret_from_syscall+0x0/0x20 sp=e00000002c0afe30 bsp=e00000002c0a8e38 [<a000000000010640>] 0xa000000000010640 sp=e00000002c0b0000 bsp=e00000002c0a8e38 Version-Release number of selected component (if applicable): kernel-2.6.9-30.EL How reproducible: Always Steps to Reproduce: 1. compile the reproducer with cc foo.c -lnuma 2. ./a.out 3. watch smoke fly Actual Results: panic Expected Results: no panic! Additional info:
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Redhat Enterprise Linux Desktop | =4 | |
| Redhat Enterprise Linux | =4.0 | |
| Redhat Enterprise Linux | =4.0 | |
| Redhat Enterprise Linux | =4.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=179665
- http://rhn.redhat.com/errata/RHSA-2008-0055.html
- http://secunia.com/advisories/28748
- http://www.securityfocus.com/bid/27556
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11437
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=161331&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=161331&action=edit
- https://rhn.redhat.com/errata/RHSA-2008-0055.html
- collector/nvd-historical
- collector/nvd-index
- agent/softwarecombine
- agent/first-publish-date
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/remedy
- agent/references
- agent/severity
- agent/weakness
- agent/last-modified-date
- agent/description
- agent/event
- agent/tags
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2007-4130
- vendor/redhat
- canonical/redhat enterprise linux desktop
- version/redhat enterprise linux desktop/4
- canonical/redhat enterprise linux
- version/redhat enterprise linux/4.0