Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 227394 - CVE-2007-0006 spinlock cpu recursion
Summary: CVE-2007-0006 spinlock cpu recursion
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 5
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: David Howells
QA Contact: Brian Brock
URL:
Whiteboard:
: 227395 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-02-05 19:31 UTC by devon kerr
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version: 2.6.19-1.2288.fc5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-02-22 20:24:04 UTC


Attachments (Terms of Use)
This is the error log of the spinlock recursion (deleted)
2007-02-05 19:31 UTC, devon kerr
no flags Details
Patch to fix the key serial no. collision problem (deleted)
2007-02-06 13:41 UTC, David Howells
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Linux Kernel 7727 None None None Never

Description devon kerr 2007-02-05 19:31:51 UTC
Description of problem:
We would like to report an error we received from one of our web servers.  We
are hesitantly suggesting 
that this is a software issue:  we have an identical machine which has not
exhibited this error.  A line 
from the error log seems to provide some insight:

Dec 12 10:13:01 clio kernel:  <0>BUG: spinlock cpu recursion on CPU#1,
suexec/27413 (Not tainted)

the complete text of the error log has been attached

Version-Release number of selected component (if applicable):
Fedora Core 5; Linux Kernel 2.16.18-1.2239 for x86_64; Apache 2.2.3; php 5.1

How reproducible:
we have yet to reproduce this issue.


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 devon kerr 2007-02-05 19:31:51 UTC
Created attachment 147394 [details]
This is the error log of the spinlock recursion

Comment 2 Chuck Ebbert 2007-02-05 21:23:17 UTC
*** Bug 227395 has been marked as a duplicate of this bug. ***

Comment 3 Chuck Ebbert 2007-02-05 22:08:50 UTC
This is the real problem:
Unable to handle kernel NULL pointer dereference at 0000000000000010
RIP:  [<ffffffff80225942>] __rb_rotate_left+0x7/0x5b
PGD 3a828067 PUD 3d934067 PMD 0 
Oops: 0000 [1] SMP 
last sysfs file: /block/hdb/size\
CPU 1
Modules linked in: ipv6 nfs lockd fscache nfs_acl rfcomm l2cap bluetooth sunrpc
dm_mirror dm_mod video sbs i2c_ec i2c_core button battery asus_acpi ac lp
parport_pc parport sg tg3 ide_cd cdrom shpchp k8_edac edac_mc ohci_hcd
serio_raw floppy ehci_hcd pcspkr raid1 ext3 jbd sata_svw libata sd_mod
scsi_mod
Pid: 27406, comm: suexec Not tainted 2.6.18-1.2239.fc5 #1
RIP: 0010:[<ffffffff80225942>]  [<ffffffff80225942>] __rb_rotate_left+0x7/0x5b
RSP: 0018:ffff810151397df0  EFLAGS: 00010282\
RAX: ffff81005a1ded48 RBX: ffff810102505508 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff806de5e0 RDI: ffff810203166088
RBP: ffff810203166088 R08: ffff8102031668c8 R09: 0000000000000000
R10: 000000005e4ae5f3 R11: ffff810151397c70 R12: ffff810102505508
R13: ffff81005a1ded48 R14: ffffffff806de5e0 R15: 0000000000000026
FS:  00002aaaaaabb850(0000) GS:ffff810103c3b1c0(0000) knlGS: 00000000f7fee8d0
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000010 CR3: 00000000da38b000 CR4: 00000000000006e0
Process suexec (pid: 27406, threadinfo ffff810151396000, task ffff8101d7cf5080)
Stack:  ffffffff80212aff ffff81005a1ded40 ffff810102505518 0000000000000000
	ffff81005a1ded40 ffff810151397eb8 ffffffff80312779 0000000046f0a978
	0000000000000000 1f3f0000aa8adfff ffff8101d7cf5080 000003eaffffffff
Call Trace:
  [<ffffffff80212aff>] rb_insert_color+0xb2/0xda
  [<ffffffff80312779>] key_alloc+0x2b0/0x384
  [<ffffffff8031377b>] keyring_alloc+0x29/0x5f
  [<ffffffff80314ea2>] alloc_uid_keyring+0x3d/0xa6
  [<ffffffff80293a5c>] alloc_uid+0xa9/0x16f
  [<ffffffff802963d6>] set_user+0xf/0x97
  [<ffffffff80297b5c>] sys_setuid+0x7d/0x154
  [<ffffffff8025c00e>] system_call+0x7e/0x83
Code: 48 8b 51 10 49 83 e0 fc 48 85 d2 48 89 57 08 74 0c 48 8b 02


Comment 4 David Howells 2007-02-06 13:31:41 UTC
Duplicate of http://bugzilla.kernel.org/show_bug.cgi?id=7727

Comment 5 David Howells 2007-02-06 13:41:11 UTC
Created attachment 147464 [details]
Patch to fix the key serial no. collision problem


Note You need to log in before you can comment on or make changes to this bug.