oss-sec mailing list archives
CVE Request -- kernel: request_module() OOM local DoS
From: Petr Matousek <pmatouse () redhat com>
Date: Fri, 31 Aug 2012 18:40:28 +0200
As Tetsuo Handa pointed out, request_module() can stress the system while the oom-killed caller sleeps in TASK_UNINTERRUPTIBLE. The task T uses "almost all" memory, then it does something which triggers request_module(). Say, it can simply call sys_socket(). This in turn needs more memory and leads to OOM. oom-killer correctly chooses T and kills it, but this can't help because it sleeps in TASK_UNINTERRUPTIBLE and after that oom-killer becomes "disabled" by the TIF_MEMDIE task T. A local unprivileged user can make the system unusable. Upstream fixes: (1) 70834d30 "usermodehelper: use UMH_WAIT_PROC consistently" (2) b3449922 "usermodehelper: introduce umh_complete(sub_info)" (3) d0bd587a "usermodehelper: implement UMH_KILLABLE" (4) 9d944ef3 "usermodehelper: kill umh_wait, renumber UMH_* constants" (5) 5b9bd473 "usermodehelper: ____call_usermodehelper() doesn't need do_exit()" (6) 3e63a93b "kmod: introduce call_modprobe() helper" (7) 1cc684ab "kmod: make __request_module() killable" According to the reporter, (1) and (4) are optional and safer to exclude. Acknowledgements: Red Hat would like to thank Tetsuo Handa for reporting this issue. References: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/963685 https://bugzilla.redhat.com/show_bug.cgi?id=853474 Thanks, -- Petr Matousek / Red Hat Security Response Team
Current thread:
- CVE Request -- kernel: request_module() OOM local DoS Petr Matousek (Aug 31)
- <Possible follow-ups>
- CVE Request -- kernel: request_module() OOM local DoS Kurt Seifried (Sep 02)