[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#672660: linux-2.6: CVE-2012-0810 kernel-rt: stack corruption when task gets scheduled out using the debug stack

Package: linux-2.6
Version: 3.2.16-1
Severity: grave
Tags: security
Justification: user security hole

This seems to have slipped through the kernel-sec repository...

Citing Redhat:

The issue is that the int3 handler uses a per CPU debug stack, and calls
do_traps() with interrupts enabled but preemption disabled. Then a signal
is sent to the current process, and the code that handles the signal grabs
a spinlock. This spinlock becomes a mutex (sleeping lock) when
CONFIG_PREEMPT_RT_FULL is enabled.

If there is contention on this lock then the task may schedule out. As the
task is using a per CPU stack, and another task may come in and use the
same stack, the stack can become corrupted and cause the kernel to panic.

http://security-tracker.debian.org/tracker/CVE-2012-0810
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0810
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0810

Keep up the good work,

AW

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable'), (50, 'unstable'), (40, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.16 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash
Reply to: