Bug 208659 (CVE-2006-4342) - VUL-0: CVE-2006-4342: kernel: shmat hangs by simultaneous shmctl detach
Summary: VUL-0: CVE-2006-4342: kernel: shmat hangs by simultaneous shmctl detach
Status: RESOLVED INVALID
Alias: CVE-2006-4342
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Normal
Target Milestone: ---
Assignee: E-mail List
QA Contact: Security Team bot
URL:
Whiteboard: CVE-2006-4342: CVSS v2 Base Score: 4....
Keywords:
Depends on:
Blocks:
 
Reported: 2006-09-28 06:42 UTC by Marcus Meissner
Modified: 2021-08-11 09:09 UTC (History)
1 user (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
linux-2.4.21-semaphore-scale.patch (7.80 KB, patch)
2006-09-28 06:50 UTC, Marcus Meissner 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2006-09-28 06:42:04 UTC 
From: Marcel Holtmann <holtmann@redhat.com>
User-Agent: Thunderbird 1.5.0.7 (X11/20060913)
To: vendor-sec@lst.de
Subject: [vendor-sec] shmat hangs by simultaneous shmctl (embargoed)
Errors-To: vendor-sec-admin@lst.de
Date: Wed, 27 Sep 2006 17:42:51 +0200

[-- Anhang #1 --]
[-- Typ: text/plain, Kodierung: 7bit, Größe: 2,1K --]

Hi,

this got reported by a customer and we were first treating that like a
normal bug, but it actually has a security implication. It can cause
your complete system to deadlock. We assigned CVE-2006-4342 to it.

We believe that this is a RHEL3 only issue caused by one of our own
backports during the 2.5 days. However it might worth giving the
reproducer a try. This issue is embargoed until we release a hotfix
kernel with a fix for it in it. This is expected to be public really
soon and I can't do anything about it anymore. Sorry. However as said,
we don't expect anyone else to be vulnerable.

This is the description of the actual problem from on of our developers:


Deadlock happens on smp machines when a shmat() function runs at the
same time that shmctl() is used to remove the same shm. While the shmat
process waits at the spinlock in ipc_lock function, the shmctl function
deletes the path to the kern_ipc_perm structure which holds the spinlock
variable and frees the memory location. Because of this, the
ipc_unlock() run for shmctl() does not unlock the spinlock and the shmat
waits indefinitely at the spinlock.

This is serious issue for RHEL3 users especially applications using IPC
shared-memory. This deadlock brings other deadlock in IPC features (ex.
IPC semaphore) since deadlocked process holds readlock of
BR_SEMAPHORE_LOCK which are shared by all IPC features.

The code in question was backported from the 2.5 kernel with the patch
linux-2.4.21-semaphore-scale.patch by Ingo Molnar. This code does not
appear upstream in the 2.4 kernels. The Red Hat implementation on the
2.4 kernel is done using 'Big Reader' read-write locks. The patch was
written by modifying the code from the patch provided in bz # 91146 to
use brlocks. The attached reproducer recreates the issue.


I am also attaching the reproducer. Please keep in mind that this one
should be embargoed forever. It is not meant for the public.
- Compile shmat.c and shmctl.c
- Run both simultaneously on MP system
- Repeat running 

Once it happen, continuous error message from shmat will stop and the
two CPUs will be deadlocked.

Regards

Marcel
Comment 2 Marcus Meissner 2006-09-28 06:50:18 UTC 
Created attachment 99807 [details]
linux-2.4.21-semaphore-scale.patch

the buggy patch from redhat.
Comment 3 Marcus Meissner 2006-09-28 06:51:51 UTC 
as Marcel said, we are likely not affected.

i cross checked that we do not have the patch in question in our tree.
Comment 4 Thomas Biege 2009-10-13 22:28:02 UTC 
CVE-2006-4342: CVSS v2 Base Score: 4.0 (AV:L/AC:H/Au:N/C:N/I:N/A:C)