CVE-2011-1771: Null Pointer Dereference

First published: Mon May 09 2011(Updated: )

BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 IP: [<ffffffffa04a3cc1>] cifsFileInfo_put+0x21/0x220 [cifs] PGD 15434067 PUD 375bd067 PMD 0 Oops: 0000 [#1] SMP last sysfs file: /sys/devices/virtual/block/dm-1/dm/name CPU 2 Modules linked in: cifs nfs nls_utf8 lockd nfs_acl rpcsec_gss_krb5 auth_rpcgss des_generic sunrpc cachefiles fscache(T) ipv6 dm_mirror dm_region_hash dm_log virtio_balloon virtio_net sg i2c_piix4 i2c_core ext4 mbcache jbd2 virtio_blk sr_mod cdrom virtio_pci virtio_ring virtio pata_acpi ata_generic ata_piix dm_mod [last unloaded: cifs] Modules linked in: cifs nfs nls_utf8 lockd nfs_acl rpcsec_gss_krb5 auth_rpcgss des_generic sunrpc cachefiles fscache(T) ipv6 dm_mirror dm_region_hash dm_log virtio_balloon virtio_net sg i2c_piix4 i2c_core ext4 mbcache jbd2 virtio_blk sr_mod cdrom virtio_pci virtio_ring virtio pata_acpi ata_generic ata_piix dm_mod [last unloaded: cifs] Pid: 11418, comm: opentest Tainted: G ---------------- T 2.6.32-144.el6.x86_64.debug #1 KVM RIP: 0010:[<ffffffffa04a3cc1>] [<ffffffffa04a3cc1>] cifsFileInfo_put+0x21/0x220 [cifs] RSP: 0018:ffff8800376f9b98 EFLAGS: 00010282 RAX: ffffffffa04a3f00 RBX: ffff88003b24e1b8 RCX: 0000000000000003 RDX: ffffffffa04bb760 RSI: ffff88003b24e1b8 RDI: 0000000000000000 RBP: ffff8800376f9bc8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000100006 R12: 0000000000000008 R13: ffff88002ee7a0d0 R14: ffff88000737b700 R15: ffff88003e7fa578 FS: 00007f4603a80700(0000) GS:ffff880004400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000000000030 CR3: 000000003d399000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process opentest (pid: 11418, threadinfo ffff8800376f8000, task ffff8800154e85c0) Stack: 0000000000000000 ffff88003b24e1b8 0000000000000008 ffff88002ee7a0d0 <0> ffff88000737b700 ffff88003e7fa578 ffff8800376f9be8 ffffffffa04a3f1d <0> 0000000000000008 ffff88003b24e1b8 ffff8800376f9c38 ffffffff81190ab8 Call Trace: [<ffffffffa04a3f1d>] cifs_close+0x1d/0x40 [cifs] [<ffffffff81190ab8>] __fput+0x108/0x280 [<ffffffff81189ce0>] ? generic_file_open+0x0/0x30 [<ffffffff81190c55>] fput+0x25/0x30 [<ffffffff8118c40c>] __dentry_open+0x28c/0x3e0 [<ffffffff8118c639>] lookup_instantiate_filp+0x69/0x90 [<ffffffffa04a2182>] cifs_lookup+0x3f2/0x5c0 [cifs] [<ffffffff8119e802>] __lookup_hash+0x102/0x160 [<ffffffff8122f752>] ? selinux_inode_permission+0x72/0xb0 [<ffffffff8119e93a>] lookup_hash+0x3a/0x50 [<ffffffff8119f36a>] do_filp_open+0x2ca/0xdc0 [<ffffffff810d71c2>] ? utrace_stop+0x122/0x1d0 [<ffffffff811ac63b>] ? alloc_fd+0x3b/0x160 [<ffffffff8150eccb>] ? _spin_unlock+0x2b/0x40 [<ffffffff811ac6ab>] ? alloc_fd+0xab/0x160 [<ffffffff8118c039>] do_sys_open+0x69/0x140 [<ffffffff8118c150>] sys_open+0x20/0x30 [<ffffffff8100b3a3>] tracesys+0xd9/0xde This was reported upstream recently. <a href="http://marc.info/?l=linux-cifs&m=130204730006155&w=2">http://marc.info/?l=linux-cifs&m=130204730006155&w=2</a> ...the problem is that CIFS doesn't do O_DIRECT at all, so when you try to open a file with it you get back -EINVAL. CIFS can also do open on lookup in some cases. In that case, fput will be called on the filp, which has not yet had its private_data set. This is a regression introduced with the patchset to clean up filehandle management in CIFS. The fix is simple and is already upstream -- simply check for a NULL filp->private_data before trying to dereference it.

Credit: secalert@redhat.com secalert@redhat.com

Affected Software	Affected Version	How to fix
Linux Linux kernel	<2.6.39
debian/linux-2.6

CVE-2011-1771: Null Pointer Dereference

Remedy

Remedy

Never miss a vulnerability like this again

Reference Links

Company

Resources

Contact