[Lustre-discuss] Lustre and kernel vulnerability CVE-2009-2692
Robin Humble
robin.humble+lustre at anu.edu.au
Fri Aug 21 10:11:39 PDT 2009
On Fri, Aug 21, 2009 at 06:41:01PM +0200, Thomas Roth wrote:
>Hi all,
>
>while trying to fix the recent kernel vulnerability (CVE-2009-2692) we
>found that in most cases, our Lustre 1.6.5.1, 1.6.6 and 1.6.7.2 clients
>seemed to be quite well protected, at least against the published
>exploit: wunderbar_emporium seems to work, but then the root shell never
>appears. Instead, the client freezes, requiring a reset.
>Anybody else with such experiences?
no freezes here.
wunderbar_emporium didn't work against rhel/centos 2.6.18-128.4.1.el5
with patchless Lustre 1.6.7.2 after it was patched with the upstream
one-liner:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e694958388c50148389b0e9b9e9e8945cf0f1b98
no idea if it was exploitable before or not - didn't try.
RedHat's view on this vulnerability is err, interesting... :-/
http://kbase.redhat.com/faq/docs/DOC-18065
https://bugzilla.redhat.com/show_bug.cgi?id=516949
>Employing the recommended workaround by setting vm.mmap_min_addr to 4096
where did you see that recommended?
the RHEL based machines I've looked at have this set to 64k, but if they
are also running SELinux (which I presume few Lustre machines are?) then
they still might be vulnerable I guess.
cheers,
robin
>blew up in our face: in particular machines with older kernels not
>knowing about mmap_min_addr reacted quite irrationally, such as
>segfaulting about every process running on the machine. Crazy things
>that should not be possible ....
>
>Regards,
>Thomas
>
>
>_______________________________________________
>Lustre-discuss mailing list
>Lustre-discuss at lists.lustre.org
>http://lists.lustre.org/mailman/listinfo/lustre-discuss
More information about the lustre-discuss
mailing list