thr3ads.net - Secure testing team - [Secure-testing-team] Bug#672660: linux-2.6: CVE-2012-0810 kernel-rt: stack corruption when task gets scheduled out using the debug stack [May 2012]

If this information is useful, please help other people find it:
Share via:

Arne Wichmann

2012-May-12 17:46 UTC

[Secure-testing-team] Bug#672660: linux-2.6: CVE-2012-0810 kernel-rt: stack corruption when task gets scheduled out using the debug stack

Package: linux-2.6
Version: 3.2.16-1
Severity: grave
Tags: security
Justification: user security hole

This seems to have slipped through the kernel-sec repository...

Citing Redhat:

The issue is that the int3 handler uses a per CPU debug stack, and calls
do_traps() with interrupts enabled but preemption disabled. Then a signal
is sent to the current process, and the code that handles the signal grabs
a spinlock. This spinlock becomes a mutex (sleeping lock) when
CONFIG_PREEMPT_RT_FULL is enabled.

If there is contention on this lock then the task may schedule out. As the
task is using a per CPU stack, and another task may come in and use the
same stack, the stack can become corrupted and cause the kernel to panic.

http://security-tracker.debian.org/tracker/CVE-2012-0810
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0810
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0810

Keep up the good work,

AW

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, ''testing''), (500,
''stable''), (50, ''unstable''), (40,
''experimental'')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.16 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash

Secure testing team - May 2012 - Bug#672660: linux-2.6: CVE-2012-0810 kernel-rt: stack corruption when task gets scheduled out using the debug stack

[Secure-testing-team] Bug#672660: linux-2.6: CVE-2012-0810 kernel-rt: stack corruption when task gets scheduled out using the debug stack