Bug 829619 (CVE-2013-4129) - VUL-0: kernel: CVE-2013-4129: bridge: BUG at kernel/timer.c:729
Summary: VUL-0: kernel: CVE-2013-4129: bridge: BUG at kernel/timer.c:729
Status: RESOLVED UPSTREAM
Alias: CVE-2013-4129
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: E-mail List
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-07-16 06:03 UTC by Sebastian Krahmer
Modified: 2014-07-02 10:04 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2013-07-16 06:03:51 UTC 
Via oss-sec:

Date: Mon, 15 Jul 2013 23:12:47 +0200
From: Petr Matousek
To: oss-security


Several people reported the oops: "kernel BUG at kernel/timer.c:729!"
and the stack trace is:

    #7 [ffff880214d25c10] mod_timer+501 at ffffffff8106d905
    #8 [ffff880214d25c50] br_multicast_del_pg.isra.20+261 at
ffffffffa0731d25 [bridge]
    #9 [ffff880214d25c80] br_multicast_disable_port+88 at
ffffffffa0732948 [bridge]
    #10 [ffff880214d25cb0] br_stp_disable_port+154 at ffffffffa072bcca
[bridge]
    #11 [ffff880214d25ce8] br_device_event+520 at ffffffffa072a4e8
[bridge]
    #12 [ffff880214d25d18] notifier_call_chain+76 at ffffffff8164aafc
    #13 [ffff880214d25d50] raw_notifier_call_chain+22 at
ffffffff810858f6
    #14 [ffff880214d25d60] call_netdevice_notifiers+45 at
ffffffff81536aad
    #15 [ffff880214d25d80] dev_close_many+183 at ffffffff81536d17
    #16 [ffff880214d25dc0] rollback_registered_many+168 at
ffffffff81537f68
    #17 [ffff880214d25de8] rollback_registered+49 at ffffffff81538101
    #18 [ffff880214d25e10] unregister_netdevice_queue+72 at
ffffffff815390d8
    #19 [ffff880214d25e30] __tun_detach+272 at ffffffffa074c2f0 [tun]
    #20 [ffff880214d25e88] tun_chr_close+45 at ffffffffa074c4bd [tun]
    #21 [ffff880214d25ea8] __fput+225 at ffffffff8119b1f1
    #22 [ffff880214d25ef0] ____fput+14 at ffffffff8119b3fe
    #23 [ffff880214d25f00] task_work_run+159 at ffffffff8107cf7f
    #24 [ffff880214d25f30] do_notify_resume+97 at ffffffff810139e1
    #25 [ffff880214d25f50] int_signal+18 at ffffffff8164f292

The bug was usually hit when shutting down a KVM guest.

Upstream fix:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c7e8e8a8f7a70b343ca1e0f90a31e35ab2d16de1

Introduced by:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9f00b2e7cf241fa389733d41b6

Introduced in upstream version:
v3.11-rc1 (but we had it in Fedora because of bz#880035)

References:
https://bugzilla.redhat.com/show_bug.cgi?id=984743
https://bugzilla.redhat.com/show_bug.cgi?id=980254
http://pkgs.fedoraproject.org/cgit/kernel.git/commit/?h=f19&id=a993279a9bb538ae524fca69ec23c5c1b428f47e

--
Petr Matousek / Red Hat Security Response Team
Comment 1 Sebastian Krahmer 2013-07-16 06:04:36 UTC 
CVE-2013-4129
Comment 2 Swamp Workflow Management 2013-07-16 22:00:11 UTC 
bugbot adjusting priority
Comment 3 Michal Hocko 2013-07-23 14:40:06 UTC 
9f00b2e7cf241fa389733d41b6 doesn't seem to be present in any SLE branch.
Comment 4 Marcus Meissner 2013-07-24 13:07:28 UTC 
so we are not affected then.