[Lustre-discuss] Lustre and kernel vulnerability CVE-2009-2692
Peter Kjellstrom
cap at nsc.liu.se
Fri Aug 21 10:01:23 PDT 2009
On Friday 21 August 2009, Thomas Roth wrote:
> Hi all,
>
> while trying to fix the recent kernel vulnerability (CVE-2009-2692) we
> found that in most cases, our Lustre 1.6.5.1, 1.6.6 and 1.6.7.2 clients
> seemed to be quite well protected, at least against the published
> exploit: wunderbar_emporium seems to work, but then the root shell never
> appears. Instead, the client freezes, requiring a reset.
> Anybody else with such experiences?
One version of an exploit failing is not very comforting. There are several
exploits in the wild.
> Employing the recommended workaround by setting vm.mmap_min_addr to 4096
> blew up in our face: in particular machines with older kernels not
> knowing about mmap_min_addr reacted quite irrationally, such as
> segfaulting about every process running on the machine. Crazy things
> that should not be possible ....
I _think_ you are safe:
if (mmap_min_addr > 0 and (kernel >= 2.6.18-128.4.1 and selinux == disabled))
We've rolled out a patched kernel.
/Peter
> Regards,
> Thomas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.lustre.org/pipermail/lustre-discuss-lustre.org/attachments/20090821/8b4647c9/attachment.pgp>
More information about the lustre-discuss
mailing list