Bug 920583 (CVE-2014-8173) - VUL-1: CVE-2014-8173: kernel-source: NULL pointer dereference in madvise(MADV_WILLNEED) support
Summary: VUL-1: CVE-2014-8173: kernel-source: NULL pointer dereference in madvise(MADV...
Status: RESOLVED FIXED
Alias: CVE-2014-8173
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Normal
Target Milestone: ---
Assignee: E-mail List
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/114410/
Whiteboard: CVSSv2:RedHat:CVE-2014-8173:4.9:(AV:L...
Keywords:
Depends on:
Blocks:
 
Reported: 2015-03-04 10:54 UTC by Marcus Meissner
Modified: 2016-04-27 20:09 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2015-03-04 10:54:25 UTC 
via kernel git and oss-sec


http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ee53664bda169f519ce3c6a22d378f0b946c8178

Author: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Date:   Fri Dec 20 15:10:03 2013 +0200

    mm: Fix NULL pointer dereference in madvise(MADV_WILLNEED) support
    
    Sasha Levin found a NULL pointer dereference that is due to a missing
    page table lock, which in turn is due to the pmd entry in question being
    a transparent huge-table entry.
    
    The code - introduced in commit 1998cc048901 ("mm: make
    madvise(MADV_WILLNEED) support swap file prefetch") - correctly checks
    for this situation using pmd_none_or_trans_huge_or_clear_bad(), but it
    turns out that that function doesn't work correctly.
    
    pmd_none_or_trans_huge_or_clear_bad() expected that pmd_bad() would
    trigger if the transparent hugepage bit was set, but it doesn't do that
    if pmd_numa() is also set. Note that the NUMA bit only gets set on real
    NUMA machines, so people trying to reproduce this on most normal
    development systems would never actually trigger this.
    
    Fix it by removing the very subtle (and subtly incorrect) expectation,
    and instead just checking pmd_trans_huge() explicitly.
    
    Reported-by: Sasha Levin <sasha.levin@oracle.com>
    Acked-by: Andrea Arcangeli <aarcange@redhat.com>
    [ Additionally remove the now stale test for pmd_trans_huge() inside the
      pmd_bad() case - Linus ]
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

CVE-2014-8173
Comment 1 Marcus Meissner 2015-03-04 10:55:13 UTC 
the commit 1998cc048901 was added in 3.9 kernel development, older kernels are not affected.
Comment 2 Marcus Meissner 2015-03-04 10:57:56 UTC 
SLES 11 and older also do not have backports of this feature, so are not affected.


-> SLES 12, openSUSE only.
Comment 3 Michal Hocko 2015-03-04 12:49:33 UTC 
OK, I am on it.
Comment 4 Michal Hocko 2015-03-04 13:06:44 UTC 
SLE12 already has the patch d71cf525698feee3a7789cc0950311de0ad6866d (in our tree).

The fix is upstream since 3.13 so openSUSE-13.2 is not affected.
Pushed to openSUSE-13.1
Comment 5 Swamp Workflow Management 2015-03-04 23:00:24 UTC 
bugbot adjusting priority
Comment 6 Marcus Meissner 2015-04-08 12:09:41 UTC 
ok, all done then I think.