[Lustre-discuss] Lustre and kernel vulnerability CVE-2009-2692

Thomas Roth t.roth at gsi.de
Fri Aug 21 11:08:01 PDT 2009



Peter Kjellstrom wrote:
> On Friday 21 August 2009, Thomas Roth wrote:
>> Hi all,
>>
>> while trying to fix the recent kernel vulnerability (CVE-2009-2692) we
>> found that in most cases, our Lustre 1.6.5.1, 1.6.6 and 1.6.7.2 clients
>> seemed to be quite well protected, at least against the published
>> exploit: wunderbar_emporium seems to work, but then the root shell never
>> appears. Instead, the client freezes, requiring a reset.
>> Anybody else with such experiences?
> 
> One version of an exploit failing is not very comforting. There are several 
> exploits in the wild.

Of course not. I didn't mean to say that Lustre clients are
invulnerable, just thought it funny that this exploit and Lustre seem to
"exclude" each other. It might mean that whatever part of the running
system is used by the exploits is also Lustre-relevant. That would be
even less comforting then.


>> Employing the recommended workaround by setting vm.mmap_min_addr to 4096
>> blew up in our face: in particular machines with older kernels not
>> knowing about mmap_min_addr reacted quite irrationally, such as
>> segfaulting about every process running on the machine. Crazy things
>> that should not be possible ....
> 
> I _think_ you are safe:
> if (mmap_min_addr > 0 and (kernel >= 2.6.18-128.4.1 and selinux == disabled))
> 
Well, I understood the vulnerability was present in all kernels up to
2.6.30, until the recent fixes arrived. Once you have a patched kernel,
you don't have to bother about mmap_min_addr.



> We've rolled out a patched kernel.
> 
> /Peter
> 

Regards,
Thomas

>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Lustre-discuss mailing list
>> Lustre-discuss at lists.lustre.org
>> http://lists.lustre.org/mailman/listinfo/lustre-discuss




More information about the lustre-discuss mailing list