Re: CVE request -- kernel: mm: memcg: unregistring of events attached to the same eventfd can lead to oops

[Kurt Seifried <kseifried () redhat com>]

On 03/07/2012 03:57 AM, Petr Matousek wrote:
> There is an issue when memcg unregisters events that were attached to
> the same eventfd:
>
> - On the first call mem_cgroup_usage_unregister_event() removes all
>   events attached to a given eventfd, and if there were no events left,
>   thresholds->primary would become NULL;
>
> - Since there were several events registered, cgroups core will call
>   mem_cgroup_usage_unregister_event() again, but now kernel will oops,
>   as the function doesn't expect that threshold->primary may be NULL.
>
>  BUG: unable to handle kernel NULL pointer dereference at
> 0000000000000004
>  IP: [<ffffffff810be32c>] mem_cgroup_usage_unregister_event+0x9c/0x1f0
>  Pid: 574, comm: kworker/0:2 Not tainted 3.3.0-rc4+ #9 Bochs Bochs
>  RIP: 0010:[<ffffffff810be32c>]  [<ffffffff810be32c>]
> mem_cgroup_usage_unregister_event+0x9c/0x1f0
>  RSP: 0018:ffff88001d0b9d60  EFLAGS: 00010246
>  Process kworker/0:2 (pid: 574, threadinfo ffff88001d0b8000, task
> ffff88001de91cc0)
>  Call Trace:
>   [<ffffffff8107092b>] cgroup_event_remove+0x2b/0x60
>   [<ffffffff8103db94>] process_one_work+0x174/0x450
>   [<ffffffff8103e413>] worker_thread+0x123/0x2d0
>
> A local attacker able to register threshold events could use this flaw
> to crash the system.
>
> The earliest commit that *might* introduce this issue is 2e72b634 in
> 2.6.34-rc2. I haven't tested it though and the code isi slightly
> different.
>
> On the current kernels without the fix I'm able to reproduce the bug
> easily.
>
> Upstream commit:
> 371528c (3.3-rc5)
>
> References:
> https://bugzilla.redhat.com/show_bug.cgi?id=800813
> http://git.kernel.org/linus/371528c
>
> Thanks,

Please use CVE-2012-1146 for this issue.

-- 
Kurt Seifried Red Hat Security Response Team (SRT)