CVE-2010-4526
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Hardy |
Fix Released
|
Undecided
|
Andy Whitcroft | ||
Lucid |
Fix Released
|
Undecided
|
Unassigned | ||
Maverick |
Invalid
|
Undecided
|
Unassigned | ||
Natty |
Invalid
|
Undecided
|
Unassigned | ||
Oneiric |
Invalid
|
Undecided
|
Unassigned | ||
linux-fsl-imx51 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Hardy |
Invalid
|
Undecided
|
Unassigned | ||
Lucid |
Fix Released
|
Undecided
|
Andy Whitcroft | ||
Maverick |
Invalid
|
Undecided
|
Unassigned | ||
Natty |
Invalid
|
Undecided
|
Unassigned | ||
Oneiric |
Invalid
|
Undecided
|
Unassigned | ||
linux-lts-backport-maverick (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Hardy |
Invalid
|
Undecided
|
Unassigned | ||
Lucid |
Invalid
|
Undecided
|
Unassigned | ||
Maverick |
Invalid
|
Undecided
|
Unassigned | ||
Natty |
Invalid
|
Undecided
|
Unassigned | ||
Oneiric |
Invalid
|
Undecided
|
Unassigned | ||
linux-mvl-dove (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Hardy |
Invalid
|
Undecided
|
Unassigned | ||
Lucid |
Invalid
|
Undecided
|
Unassigned | ||
Maverick |
Invalid
|
Undecided
|
Unassigned | ||
Natty |
Invalid
|
Undecided
|
Unassigned | ||
Oneiric |
Invalid
|
Undecided
|
Unassigned | ||
linux-ti-omap4 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Hardy |
Invalid
|
Undecided
|
Unassigned | ||
Lucid |
Invalid
|
Undecided
|
Unassigned | ||
Maverick |
Invalid
|
Undecided
|
Unassigned | ||
Natty |
Invalid
|
Undecided
|
Unassigned | ||
Oneiric |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Fixed-by: 50b5d6ad63821ce
commit 50b5d6ad63821ce
Author: Vlad Yasevich <email address hidden>
Date: Thu May 6 00:56:07 2010 -0700
sctp: Fix a race between ICMP protocol unreachable and connect()
ICMP protocol unreachable handling completely disregarded
the fact that the user may have locked the socket. It proceeded
to destroy the association, even though the user may have
held the lock and had a ref on the association. This resulted
in the following:
Attempt to release alive inet socket f6afcc00
===
[ BUG: held lock freed! ]
---
somenu/2672 is freeing memory f6afcc00-f6afcfff, with a lock still held
there!
(sk_
1 lock held by somenu/2672:
#0: (sk_lock-
stack backtrace:
Pid: 2672, comm: somenu Not tainted 2.6.32-telco #55
Call Trace:
[<c1232266>] ? printk+0xf/0x11
[<c1038553>] debug_check_
[<c10620b4>] kmem_cache_
[<c1185f25>] __sk_free+0x9d/0xab
[<c1185f9c>] sk_free+0x1c/0x1e
[<c1216e38>] sctp_associatio
[<c1220865>] __sctp_
[<c122098a>] ? sctp_connect+
[<c102d073>] ? autoremove_
[<c12209a8>] sctp_connect+
[<c11d1e80>] inet_dgram_
[<c11834fa>] sys_connect+
[<c103a3a2>] ? lock_release_
[<c1054026>] ? might_fault+
[<c1054026>] ? might_fault+
[<c11847ab>] sys_socketcall+
[<c10da994>] ? trace_hardirqs_
[<c1002959>] syscall_
This was because the sctp_wait_
lock and then proceed to release the last reference count on the
association, thus cause the fully destruction path to finish freeing
the socket.
The simplest solution is to start a very short timer in case the socket
is owned by user. When the timer expires, we can do some verification
and be able to do the release properly.
Signed-off-by: Vlad Yasevich <email address hidden>
Signed-off-by: David S. Miller <email address hidden>
Changed in linux-fsl-imx51 (Ubuntu Hardy): | |
status: | New → Invalid |
Changed in linux-fsl-imx51 (Ubuntu Lucid): | |
status: | New → Confirmed |
Changed in linux-fsl-imx51 (Ubuntu Maverick): | |
status: | New → Invalid |
Changed in linux-fsl-imx51 (Ubuntu Natty): | |
status: | New → Invalid |
Changed in linux-fsl-imx51 (Ubuntu Oneiric): | |
status: | New → Invalid |
Changed in linux-lts-backport-maverick (Ubuntu Hardy): | |
status: | New → Invalid |
Changed in linux-lts-backport-maverick (Ubuntu Lucid): | |
status: | New → Invalid |
Changed in linux-lts-backport-maverick (Ubuntu Maverick): | |
status: | New → Invalid |
Changed in linux-lts-backport-maverick (Ubuntu Natty): | |
status: | New → Invalid |
Changed in linux-lts-backport-maverick (Ubuntu Oneiric): | |
status: | New → Invalid |
Changed in linux-mvl-dove (Ubuntu Hardy): | |
status: | New → Invalid |
Changed in linux-mvl-dove (Ubuntu Lucid): | |
status: | New → Invalid |
Changed in linux-mvl-dove (Ubuntu Maverick): | |
status: | New → Invalid |
Changed in linux-mvl-dove (Ubuntu Natty): | |
status: | New → Invalid |
Changed in linux-mvl-dove (Ubuntu Oneiric): | |
status: | New → Invalid |
Changed in linux-ti-omap4 (Ubuntu Hardy): | |
status: | New → Invalid |
Changed in linux-ti-omap4 (Ubuntu Lucid): | |
status: | New → Invalid |
Changed in linux-ti-omap4 (Ubuntu Maverick): | |
status: | New → Invalid |
Changed in linux-ti-omap4 (Ubuntu Natty): | |
status: | New → Invalid |
Changed in linux-ti-omap4 (Ubuntu Oneiric): | |
status: | New → Invalid |
description: | updated |
Changed in linux (Ubuntu Hardy): | |
assignee: | nobody → Andy Whitcroft (apw) |
status: | Confirmed → In Progress |
Changed in linux-fsl-imx51 (Ubuntu Lucid): | |
assignee: | nobody → Andy Whitcroft (apw) |
status: | Confirmed → In Progress |
Changed in linux (Ubuntu Hardy): | |
status: | In Progress → Fix Committed |
Changed in linux-fsl-imx51 (Ubuntu Lucid): | |
status: | In Progress → Fix Committed |
Changed in linux-fsl-imx51 (Ubuntu Lucid): | |
status: | Fix Committed → Fix Released |
CVE-2010-4526