On Fri, Aug 21, 2009 at 06:41:01PM +0200, Thomas Roth wrote: >Hi all, > >while trying to fix the recent kernel vulnerability (CVE-2009-2692) we >found that in most cases, our Lustre 1.6.5.1, 1.6.6 and 1.6.7.2 clients >seemed to be quite well protected, at least against the published >exploit: wunderbar_emporium seems to work, but then the root shell never >appears. Instead, the client freezes, requiring a reset. >Anybody else with such experiences?
no freezes here. wunderbar_emporium didn't work against rhel/centos 2.6.18-128.4.1.el5 with patchless Lustre 1.6.7.2 after it was patched with the upstream one-liner: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e694958388c50148389b0e9b9e9e8945cf0f1b98 no idea if it was exploitable before or not - didn't try. RedHat's view on this vulnerability is err, interesting... :-/ http://kbase.redhat.com/faq/docs/DOC-18065 https://bugzilla.redhat.com/show_bug.cgi?id=516949 >Employing the recommended workaround by setting vm.mmap_min_addr to 4096 where did you see that recommended? the RHEL based machines I've looked at have this set to 64k, but if they are also running SELinux (which I presume few Lustre machines are?) then they still might be vulnerable I guess. cheers, robin >blew up in our face: in particular machines with older kernels not >knowing about mmap_min_addr reacted quite irrationally, such as >segfaulting about every process running on the machine. Crazy things >that should not be possible .... > >Regards, >Thomas > > >_______________________________________________ >Lustre-discuss mailing list >[email protected] >http://lists.lustre.org/mailman/listinfo/lustre-discuss _______________________________________________ Lustre-discuss mailing list [email protected] http://lists.lustre.org/mailman/listinfo/lustre-discuss
