| 2011-02-23 21:04:20 |
Brad Figg |
bug |
|
|
added bug |
| 2011-02-23 21:06:01 |
Brad Figg |
security vulnerability |
no |
yes |
|
| 2011-02-23 21:06:12 |
Brad Figg |
cve linked |
|
2010-4258 |
|
| 2011-02-23 21:06:28 |
Brad Figg |
nominated for series |
|
Ubuntu Natty |
|
| 2011-02-23 21:06:36 |
Brad Figg |
nominated for series |
|
Ubuntu Maverick |
|
| 2011-02-23 21:06:39 |
Brad Figg |
nominated for series |
|
Ubuntu Lucid |
|
| 2011-02-23 21:06:42 |
Brad Figg |
nominated for series |
|
Ubuntu Karmic |
|
| 2011-02-23 21:06:45 |
Brad Figg |
nominated for series |
|
Ubuntu Hardy |
|
| 2011-02-23 21:06:52 |
Brad Figg |
nominated for series |
|
Ubuntu Dapper |
|
| 2011-02-23 21:09:17 |
Brad Figg |
description |
Placeholder |
commit 62b61f611e ("ksm: memory hotremove migration only") caused the
following new lockdep warning.
=======================================================
[ INFO: possible circular locking dependency detected ]
-------------------------------------------------------
bash/1621 is trying to acquire lock:
((memory_chain).rwsem){.+.+.+}, at: [<ffffffff81079339>]
__blocking_notifier_call_chain+0x69/0xc0
but task is already holding lock:
(ksm_thread_mutex){+.+.+.}, at: [<ffffffff8113a3aa>]
ksm_memory_callback+0x3a/0xc0
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (ksm_thread_mutex){+.+.+.}:
[<ffffffff8108b70a>] lock_acquire+0xaa/0x140
[<ffffffff81505d74>] __mutex_lock_common+0x44/0x3f0
[<ffffffff81506228>] mutex_lock_nested+0x48/0x60
[<ffffffff8113a3aa>] ksm_memory_callback+0x3a/0xc0
[<ffffffff8150c21c>] notifier_call_chain+0x8c/0xe0
[<ffffffff8107934e>] __blocking_notifier_call_chain+0x7e/0xc0
[<ffffffff810793a6>] blocking_notifier_call_chain+0x16/0x20
[<ffffffff813afbfb>] memory_notify+0x1b/0x20
[<ffffffff81141b7c>] remove_memory+0x1cc/0x5f0
[<ffffffff813af53d>] memory_block_change_state+0xfd/0x1a0
[<ffffffff813afd62>] store_mem_state+0xe2/0xf0
[<ffffffff813a0bb0>] sysdev_store+0x20/0x30
[<ffffffff811bc116>] sysfs_write_file+0xe6/0x170
[<ffffffff8114f398>] vfs_write+0xc8/0x190
[<ffffffff8114fc14>] sys_write+0x54/0x90
[<ffffffff810028b2>] system_call_fastpath+0x16/0x1b
-> #0 ((memory_chain).rwsem){.+.+.+}:
[<ffffffff8108b5ba>] __lock_acquire+0x155a/0x1600
[<ffffffff8108b70a>] lock_acquire+0xaa/0x140
[<ffffffff81506601>] down_read+0x51/0xa0
[<ffffffff81079339>] __blocking_notifier_call_chain+0x69/0xc0
[<ffffffff810793a6>] blocking_notifier_call_chain+0x16/0x20
[<ffffffff813afbfb>] memory_notify+0x1b/0x20
[<ffffffff81141f1e>] remove_memory+0x56e/0x5f0
[<ffffffff813af53d>] memory_block_change_state+0xfd/0x1a0
[<ffffffff813afd62>] store_mem_state+0xe2/0xf0
[<ffffffff813a0bb0>] sysdev_store+0x20/0x30
[<ffffffff811bc116>] sysfs_write_file+0xe6/0x170
[<ffffffff8114f398>] vfs_write+0xc8/0x190
[<ffffffff8114fc14>] sys_write+0x54/0x90
[<ffffffff810028b2>] system_call_fastpath+0x16/0x1b
But it's a false positive. Both memory_chain.rwsem and ksm_thread_mutex
have an outer lock (mem_hotplug_mutex). So they cannot deadlock.
Thus, This patch annotate ksm_thread_mutex is not deadlock source. |
|
| 2011-02-23 21:37:23 |
Nelson Elhage |
summary |
CVE-2010-4258 |
lockdep warning in KSM |
|
| 2011-02-23 21:38:18 |
Nelson Elhage |
cve unlinked |
2010-4258 |
|
|
| 2011-02-23 22:25:28 |
Brad Figg |
summary |
lockdep warning in KSM |
CVE-2010-4258 |
|
| 2011-02-23 22:55:27 |
Nelson Elhage |
cve linked |
|
2010-4258 |
|
| 2011-02-24 01:08:41 |
Brad Figg |
description |
commit 62b61f611e ("ksm: memory hotremove migration only") caused the
following new lockdep warning.
=======================================================
[ INFO: possible circular locking dependency detected ]
-------------------------------------------------------
bash/1621 is trying to acquire lock:
((memory_chain).rwsem){.+.+.+}, at: [<ffffffff81079339>]
__blocking_notifier_call_chain+0x69/0xc0
but task is already holding lock:
(ksm_thread_mutex){+.+.+.}, at: [<ffffffff8113a3aa>]
ksm_memory_callback+0x3a/0xc0
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (ksm_thread_mutex){+.+.+.}:
[<ffffffff8108b70a>] lock_acquire+0xaa/0x140
[<ffffffff81505d74>] __mutex_lock_common+0x44/0x3f0
[<ffffffff81506228>] mutex_lock_nested+0x48/0x60
[<ffffffff8113a3aa>] ksm_memory_callback+0x3a/0xc0
[<ffffffff8150c21c>] notifier_call_chain+0x8c/0xe0
[<ffffffff8107934e>] __blocking_notifier_call_chain+0x7e/0xc0
[<ffffffff810793a6>] blocking_notifier_call_chain+0x16/0x20
[<ffffffff813afbfb>] memory_notify+0x1b/0x20
[<ffffffff81141b7c>] remove_memory+0x1cc/0x5f0
[<ffffffff813af53d>] memory_block_change_state+0xfd/0x1a0
[<ffffffff813afd62>] store_mem_state+0xe2/0xf0
[<ffffffff813a0bb0>] sysdev_store+0x20/0x30
[<ffffffff811bc116>] sysfs_write_file+0xe6/0x170
[<ffffffff8114f398>] vfs_write+0xc8/0x190
[<ffffffff8114fc14>] sys_write+0x54/0x90
[<ffffffff810028b2>] system_call_fastpath+0x16/0x1b
-> #0 ((memory_chain).rwsem){.+.+.+}:
[<ffffffff8108b5ba>] __lock_acquire+0x155a/0x1600
[<ffffffff8108b70a>] lock_acquire+0xaa/0x140
[<ffffffff81506601>] down_read+0x51/0xa0
[<ffffffff81079339>] __blocking_notifier_call_chain+0x69/0xc0
[<ffffffff810793a6>] blocking_notifier_call_chain+0x16/0x20
[<ffffffff813afbfb>] memory_notify+0x1b/0x20
[<ffffffff81141f1e>] remove_memory+0x56e/0x5f0
[<ffffffff813af53d>] memory_block_change_state+0xfd/0x1a0
[<ffffffff813afd62>] store_mem_state+0xe2/0xf0
[<ffffffff813a0bb0>] sysdev_store+0x20/0x30
[<ffffffff811bc116>] sysfs_write_file+0xe6/0x170
[<ffffffff8114f398>] vfs_write+0xc8/0x190
[<ffffffff8114fc14>] sys_write+0x54/0x90
[<ffffffff810028b2>] system_call_fastpath+0x16/0x1b
But it's a false positive. Both memory_chain.rwsem and ksm_thread_mutex
have an outer lock (mem_hotplug_mutex). So they cannot deadlock.
Thus, This patch annotate ksm_thread_mutex is not deadlock source. |
If a user manages to trigger an oops with fs set to KERNEL_DS, fs is not
otherwise reset before do_exit(). do_exit may later (via mm_release in
fork.c) do a put_user to a user-controlled address, potentially allowing
a user to leverage an oops into a controlled write into kernel memory.
This is only triggerable in the presence of another bug, but this
potentially turns a lot of DoS bugs into privilege escalations, so it's
worth fixing. I have proof-of-concept code which uses this bug along
with CVE-2010-3849 to write a zero to an arbitrary kernel address, so
I've tested that this is not theoretical.
A more logical place to put this fix might be when we know an oops has
occurred, before we call do_exit(), but that would involve changing
every architecture, in multiple places.
Let's just stick it in do_exit instead. |
|
| 2011-02-28 14:39:07 |
Jeremy Foshee |
bug task added |
|
linux (Ubuntu Dapper) |
|
| 2011-02-28 14:39:07 |
Jeremy Foshee |
bug task added |
|
linux-fsl-imx51 (Ubuntu Dapper) |
|
| 2011-02-28 14:39:07 |
Jeremy Foshee |
bug task added |
|
linux-lts-backport-maverick (Ubuntu Dapper) |
|
| 2011-02-28 14:39:07 |
Jeremy Foshee |
bug task added |
|
linux-mvl-dove (Ubuntu Dapper) |
|
| 2011-02-28 14:39:07 |
Jeremy Foshee |
bug task added |
|
linux-ti-omap4 (Ubuntu Dapper) |
|
| 2011-02-28 14:39:33 |
Jeremy Foshee |
bug task added |
|
linux (Ubuntu Hardy) |
|
| 2011-02-28 14:39:33 |
Jeremy Foshee |
bug task added |
|
linux-fsl-imx51 (Ubuntu Hardy) |
|
| 2011-02-28 14:39:33 |
Jeremy Foshee |
bug task added |
|
linux-lts-backport-maverick (Ubuntu Hardy) |
|
| 2011-02-28 14:39:33 |
Jeremy Foshee |
bug task added |
|
linux-mvl-dove (Ubuntu Hardy) |
|
| 2011-02-28 14:39:33 |
Jeremy Foshee |
bug task added |
|
linux-ti-omap4 (Ubuntu Hardy) |
|
| 2011-02-28 14:39:54 |
Jeremy Foshee |
bug task added |
|
linux (Ubuntu Karmic) |
|
| 2011-02-28 14:39:54 |
Jeremy Foshee |
bug task added |
|
linux-fsl-imx51 (Ubuntu Karmic) |
|
| 2011-02-28 14:39:54 |
Jeremy Foshee |
bug task added |
|
linux-lts-backport-maverick (Ubuntu Karmic) |
|
| 2011-02-28 14:39:54 |
Jeremy Foshee |
bug task added |
|
linux-mvl-dove (Ubuntu Karmic) |
|
| 2011-02-28 14:39:54 |
Jeremy Foshee |
bug task added |
|
linux-ti-omap4 (Ubuntu Karmic) |
|
| 2011-02-28 14:40:16 |
Jeremy Foshee |
bug task added |
|
linux (Ubuntu Lucid) |
|
| 2011-02-28 14:40:16 |
Jeremy Foshee |
bug task added |
|
linux-fsl-imx51 (Ubuntu Lucid) |
|
| 2011-02-28 14:40:16 |
Jeremy Foshee |
bug task added |
|
linux-lts-backport-maverick (Ubuntu Lucid) |
|
| 2011-02-28 14:40:16 |
Jeremy Foshee |
bug task added |
|
linux-mvl-dove (Ubuntu Lucid) |
|
| 2011-02-28 14:40:16 |
Jeremy Foshee |
bug task added |
|
linux-ti-omap4 (Ubuntu Lucid) |
|
| 2011-02-28 14:41:01 |
Jeremy Foshee |
bug task added |
|
linux (Ubuntu Maverick) |
|
| 2011-02-28 14:41:01 |
Jeremy Foshee |
bug task added |
|
linux-fsl-imx51 (Ubuntu Maverick) |
|
| 2011-02-28 14:41:01 |
Jeremy Foshee |
bug task added |
|
linux-lts-backport-maverick (Ubuntu Maverick) |
|
| 2011-02-28 14:41:01 |
Jeremy Foshee |
bug task added |
|
linux-mvl-dove (Ubuntu Maverick) |
|
| 2011-02-28 14:41:01 |
Jeremy Foshee |
bug task added |
|
linux-ti-omap4 (Ubuntu Maverick) |
|
| 2011-02-28 14:43:43 |
Jeremy Foshee |
bug task added |
|
linux (Ubuntu Natty) |
|
| 2011-02-28 14:43:43 |
Jeremy Foshee |
bug task added |
|
linux-fsl-imx51 (Ubuntu Natty) |
|
| 2011-02-28 14:43:43 |
Jeremy Foshee |
bug task added |
|
linux-lts-backport-maverick (Ubuntu Natty) |
|
| 2011-02-28 14:43:43 |
Jeremy Foshee |
bug task added |
|
linux-mvl-dove (Ubuntu Natty) |
|
| 2011-02-28 14:43:43 |
Jeremy Foshee |
bug task added |
|
linux-ti-omap4 (Ubuntu Natty) |
|
| 2011-02-28 16:57:05 |
Brad Figg |
linux (Ubuntu Natty): status |
New |
Fix Released |
|
| 2011-03-02 14:34:35 |
Tim Gardner |
linux (Ubuntu Dapper): status |
New |
Fix Committed |
|
| 2011-03-02 14:34:35 |
Tim Gardner |
linux (Ubuntu Dapper): assignee |
|
Brad Figg (brad-figg) |
|
| 2011-03-02 14:35:23 |
Tim Gardner |
linux (Ubuntu Hardy): status |
New |
Fix Committed |
|
| 2011-03-02 14:35:23 |
Tim Gardner |
linux (Ubuntu Hardy): assignee |
|
Brad Figg (brad-figg) |
|
| 2011-03-02 14:36:04 |
Tim Gardner |
linux (Ubuntu Karmic): status |
New |
Fix Committed |
|
| 2011-03-02 14:36:04 |
Tim Gardner |
linux (Ubuntu Karmic): assignee |
|
Brad Figg (brad-figg) |
|
| 2011-03-11 16:07:09 |
Jamie Strandboge |
linux-mvl-dove (Ubuntu Natty): status |
New |
Invalid |
|
| 2011-03-11 16:08:37 |
Jamie Strandboge |
linux-fsl-imx51 (Ubuntu Natty): status |
New |
Invalid |
|
| 2011-03-11 16:11:01 |
Jamie Strandboge |
linux-lts-backport-maverick (Ubuntu Natty): status |
New |
Invalid |
|
| 2011-03-11 19:43:03 |
Jamie Strandboge |
linux-ti-omap4 (Ubuntu Lucid): status |
New |
Confirmed |
|
| 2011-03-11 19:43:05 |
Jamie Strandboge |
linux-ti-omap4 (Ubuntu Maverick): status |
New |
Confirmed |
|
| 2011-03-11 19:43:11 |
Jamie Strandboge |
linux-ti-omap4 (Ubuntu Natty): status |
New |
Confirmed |
|
| 2011-03-11 19:43:13 |
Jamie Strandboge |
linux-ti-omap4 (Ubuntu Dapper): status |
New |
Confirmed |
|
| 2011-03-11 19:43:16 |
Jamie Strandboge |
linux-ti-omap4 (Ubuntu Hardy): status |
New |
Confirmed |
|
| 2011-03-11 19:43:19 |
Jamie Strandboge |
linux-ti-omap4 (Ubuntu Karmic): status |
New |
Confirmed |
|
| 2011-03-21 14:20:44 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/karmic-proposed/linux-ec2 |
|
| 2011-03-21 21:07:34 |
Brad Figg |
tags |
|
kernel-cve-tracking-bug |
|
| 2011-03-24 05:04:12 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/dapper-proposed/linux-source-2.6.15 |
|
| 2011-03-25 10:27:44 |
Paolo Pisati |
linux-ti-omap4 (Ubuntu Dapper): status |
Confirmed |
Invalid |
|
| 2011-03-25 10:28:01 |
Paolo Pisati |
linux-ti-omap4 (Ubuntu Hardy): status |
Confirmed |
Invalid |
|
| 2011-03-25 10:28:19 |
Paolo Pisati |
linux-ti-omap4 (Ubuntu Karmic): status |
Confirmed |
Invalid |
|
| 2011-03-25 10:28:36 |
Paolo Pisati |
linux-ti-omap4 (Ubuntu Lucid): status |
Confirmed |
Invalid |
|
| 2011-03-25 10:29:59 |
Paolo Pisati |
linux-mvl-dove (Ubuntu Dapper): status |
New |
Invalid |
|
| 2011-03-25 10:30:19 |
Paolo Pisati |
linux-mvl-dove (Ubuntu Hardy): status |
New |
Invalid |
|
| 2011-03-25 10:30:36 |
Paolo Pisati |
linux-mvl-dove (Ubuntu Karmic): status |
New |
Invalid |
|
| 2011-03-25 10:31:21 |
Paolo Pisati |
linux-mvl-dove (Ubuntu Lucid): assignee |
|
Paolo Pisati (p-pisati) |
|
| 2011-03-25 10:31:39 |
Paolo Pisati |
linux-mvl-dove (Ubuntu Maverick): assignee |
|
Paolo Pisati (p-pisati) |
|
| 2011-03-25 10:35:24 |
Paolo Pisati |
linux-ti-omap4 (Ubuntu Maverick): assignee |
|
Paolo Pisati (p-pisati) |
|
| 2011-03-25 11:19:46 |
Paolo Pisati |
linux-ti-omap4 (Ubuntu Maverick): status |
Confirmed |
Fix Released |
|
| 2011-03-25 11:20:02 |
Paolo Pisati |
linux-ti-omap4 (Ubuntu Natty): status |
Confirmed |
Fix Released |
|
| 2011-03-25 11:24:17 |
Paolo Pisati |
linux (Ubuntu Lucid): status |
New |
Fix Released |
|
| 2011-03-25 11:24:32 |
Paolo Pisati |
linux (Ubuntu Maverick): status |
New |
Fix Released |
|
| 2011-03-25 11:36:53 |
Paolo Pisati |
linux (Ubuntu Karmic): status |
Fix Committed |
Fix Released |
|
| 2011-04-04 14:03:55 |
Launchpad Janitor |
linux (Ubuntu Hardy): status |
Fix Committed |
Fix Released |
|
| 2011-04-04 14:03:55 |
Launchpad Janitor |
cve linked |
|
2010-4076 |
|
| 2011-04-04 14:03:55 |
Launchpad Janitor |
cve linked |
|
2010-4077 |
|
| 2011-04-04 14:03:55 |
Launchpad Janitor |
cve linked |
|
2010-4158 |
|
| 2011-04-04 14:03:55 |
Launchpad Janitor |
cve linked |
|
2010-4162 |
|
| 2011-04-04 14:03:55 |
Launchpad Janitor |
cve linked |
|
2010-4163 |
|
| 2011-04-04 14:03:55 |
Launchpad Janitor |
cve linked |
|
2010-4164 |
|
| 2011-04-04 14:03:55 |
Launchpad Janitor |
cve linked |
|
2010-4242 |
|
| 2011-04-04 14:03:55 |
Launchpad Janitor |
cve linked |
|
2010-4346 |
|
| 2011-04-29 13:37:52 |
Paolo Pisati |
linux-mvl-dove (Ubuntu Lucid): status |
New |
In Progress |
|
| 2011-06-02 08:57:42 |
Paolo Pisati |
linux-fsl-imx51 (Ubuntu Dapper): status |
New |
Invalid |
|
| 2011-06-02 08:57:47 |
Paolo Pisati |
linux-fsl-imx51 (Ubuntu Hardy): status |
New |
Invalid |
|
| 2011-06-02 08:57:51 |
Paolo Pisati |
linux-fsl-imx51 (Ubuntu Maverick): status |
New |
Invalid |
|
| 2011-06-02 08:58:19 |
Paolo Pisati |
linux-fsl-imx51 (Ubuntu Karmic): status |
New |
Won't Fix |
|
| 2011-06-02 09:08:44 |
Paolo Pisati |
linux-fsl-imx51 (Ubuntu Lucid): status |
New |
In Progress |
|
| 2011-07-05 05:13:02 |
Launchpad Janitor |
linux-fsl-imx51 (Ubuntu Lucid): status |
In Progress |
Fix Released |
|
| 2011-07-05 05:13:02 |
Launchpad Janitor |
cve linked |
|
2010-3865 |
|
| 2011-07-05 05:13:02 |
Launchpad Janitor |
cve linked |
|
2010-3875 |
|
| 2011-07-05 05:13:02 |
Launchpad Janitor |
cve linked |
|
2010-3876 |
|
| 2011-07-05 05:13:02 |
Launchpad Janitor |
cve linked |
|
2010-3877 |
|
| 2011-07-05 05:13:02 |
Launchpad Janitor |
cve linked |
|
2010-3880 |
|
| 2011-07-05 05:13:02 |
Launchpad Janitor |
cve linked |
|
2010-4342 |
|
| 2011-07-05 05:13:02 |
Launchpad Janitor |
cve linked |
|
2010-4527 |
|
| 2011-07-05 05:13:02 |
Launchpad Janitor |
cve linked |
|
2010-4529 |
|
| 2011-07-05 05:13:02 |
Launchpad Janitor |
cve linked |
|
2010-4565 |
|
| 2011-07-05 05:13:02 |
Launchpad Janitor |
cve linked |
|
2010-4656 |
|
| 2011-07-05 05:13:02 |
Launchpad Janitor |
cve linked |
|
2011-0463 |
|
| 2011-07-05 05:13:02 |
Launchpad Janitor |
cve linked |
|
2011-0521 |
|
| 2011-07-05 05:13:02 |
Launchpad Janitor |
cve linked |
|
2011-0695 |
|
| 2011-07-05 05:13:02 |
Launchpad Janitor |
cve linked |
|
2011-0711 |
|
| 2011-07-05 05:13:02 |
Launchpad Janitor |
cve linked |
|
2011-0712 |
|
| 2011-07-05 05:13:02 |
Launchpad Janitor |
cve linked |
|
2011-1017 |
|
| 2011-10-14 20:41:04 |
Jamie Strandboge |
linux-lts-backport-maverick (Ubuntu Dapper): status |
New |
Won't Fix |
|
| 2011-10-14 20:41:10 |
Jamie Strandboge |
linux-lts-backport-maverick (Ubuntu Karmic): status |
New |
Won't Fix |
|
| 2011-10-14 20:46:10 |
Jamie Strandboge |
linux (Ubuntu Dapper): status |
Fix Committed |
Won't Fix |
|
| 2013-05-21 21:22:49 |
Jamie Strandboge |
linux-lts-backport-maverick (Ubuntu Hardy): status |
New |
Won't Fix |
|
| 2013-05-21 21:22:56 |
Jamie Strandboge |
linux-mvl-dove (Ubuntu Maverick): status |
New |
Won't Fix |
|
| 2013-05-22 12:18:46 |
Jamie Strandboge |
linux-lts-backport-maverick (Ubuntu Lucid): status |
New |
Won't Fix |
|
| 2013-05-22 12:18:51 |
Jamie Strandboge |
linux-lts-backport-maverick (Ubuntu Maverick): status |
New |
Won't Fix |
|
| 2015-06-17 12:03:54 |
Rolf Leggewie |
linux-mvl-dove (Ubuntu Lucid): status |
In Progress |
Won't Fix |
|
