oss-sec mailing list archives

CVE Request -- kernel: request_module() OOM local DoS

From: Kurt Seifried <kseifried () redhat com>
Date: Sun, 02 Sep 2012 11:35:55 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

As Tetsuo Handa pointed out, request_module() can stress the system
while the oom-killed caller sleeps in TASK_UNINTERRUPTIBLE.

The task T uses "almost all" memory, then it does something which
triggers request_module().  Say, it can simply call sys_socket().  This
in turn needs more memory and leads to OOM.  oom-killer correctly
chooses T and kills it, but this can't help because it sleeps in
TASK_UNINTERRUPTIBLE and after that oom-killer becomes "disabled" by the
TIF_MEMDIE task T.

A local unprivileged user can make the system unusable.

Upstream fixes:
(1) 70834d30 "usermodehelper: use UMH_WAIT_PROC consistently"
(2) b3449922 "usermodehelper: introduce umh_complete(sub_info)"
(3) d0bd587a "usermodehelper: implement UMH_KILLABLE"
(4) 9d944ef3 "usermodehelper: kill umh_wait, renumber UMH_* constants"
(5) 5b9bd473 "usermodehelper: ____call_usermodehelper() doesn't need
do_exit()"
(6) 3e63a93b "kmod: introduce call_modprobe() helper"
(7) 1cc684ab "kmod: make __request_module() killable"

According to the reporter, (1) and (4) are optional and safer to
exclude.

Acknowledgements:

Red Hat would like to thank Tetsuo Handa for reporting this issue.

References:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/963685
https://bugzilla.redhat.com/show_bug.cgi?id=853474

Thanks,
- -- 
Petr Matousek / Red Hat Security Response Team

====
For some reason this wasn't in my email hence the new message and not
a proper reply).

Please use CVE-2012-4398 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQQ5j7AAoJEBYNRVNeJnmTxCAP/iAnk1EioSt9wkWZ48oF8xSJ
/kYtqwkuCn4dAu27SN6W74WqdWImVZvkazsof4I4nYMmPzVxrR54Sq+wqy6hOCea
v2hGTkjNdIG3aDZNHkpzzLpJUFCtLbHnH9f5Fdn/s/Xwhg1LFGsRWdA5vYlH0Kuy
/xcV2+oysRahV5dv9M045IsQZjRQZBoMru532P5Lj8F7+O1WQ520fRLFn/VQ1fKV
s1OFLU5Xjyhnt+irR/vFkpp2uAUmWOoo/voBoCK36bsHZdJEvOGhWNofeuUgNYmF
5W4yia3/NXVBHEsb/5OCBIaxNvanFnji7SVisIpRe7i6xyC+rPiaFBDSoaQLXwRs
tjy7ubYce95KCbALlZauIXc+V/uQrK5XazmGrUXcjPNymzE1SFCfKqgzdYGZ1X28
XjizKvVCRSLsybo/RaYNd+b7wt04lXuY8XCPA1NlivMKRyvzEDpQdvCqjnV1FzfZ
Id4WgbOUtf+Bagc6dqp/LD88T+V2AoUJ8GI1dY+7oIWX1F0n1yUQGZ62AzbZIxZG
N/v7ro4AJEfTqSfyRzdjCiXzyC3WRDwjzmx2g9fARNvO3ydEGfB3XvKfNLZygVhS
dwL+jAaUXvdLf7EXCFonE0mACwTrkJJdJN37ZJHz3Ub36c/+ued+vzT5+ugV5a++
iTL0sYG0csCol8mXGF9Y
=6mwA
-----END PGP SIGNATURE-----

Current thread:

CVE Request -- kernel: request_module() OOM local DoS Petr Matousek (Aug 31)
- <Possible follow-ups>
- CVE Request -- kernel: request_module() OOM local DoS Kurt Seifried (Sep 02)