IBM Support

Revised InfoSphere Guardium ALERT for bug 29846

Flash (Alert)


This alert gives details of a rare race condition in the LhmonProxy driver in InfoSphere Guardium which has a potential to cause a Windows O/S crash.


Severity: High

Technical Description:
This alert gives details of a rare race condition in the LhmonProxy driver which has a potential to cause a Windows O/S crash.

The basic architecture is that TCP/IP driver sent a request to the transport driver to receive back datagram packets. The LhmonProxy driver intercepted this request so it would receive the datagram packets and relay them up to the TCP/IP driver. The LhmonProxy driver substitutes its event handler for the TCP/IP driver's event handler as a standard Tivoli Directory Integrator filter driver would do.

However, IBM has identified existing race condition between TCP/IP removing the event handler context and datagram packets being received in the event handler. In this case, a datagram would be received shortly BEFORE the associated event handler context was de-allocated by the TCP/IP driver and thus by the LhmonProxy driver as well.

After checking for the existence of the event context, the LhmonProxy driver passed a reference to the event context to the Lhmon.sys driver. The event context was then deleted while the Lhmon.sys driver was using it. The code accessed the context which had been deallocated and caused an exception which in kernel mode causes an operating system crash. Upon further analysis, it was determined that even if Lhmon.sys had not caused the exception, the AFD event handler would have been called after the AFD context was deleted and AFD would have crashed the system.

To resolve this issue, the STAP software was modified to check validity of the event handler and to prevent accessing the de-allocated context. The event context is also protected by a reference count so that when passing it to Lhmon.sys, the context will not be deleted until Lhmon.sys is done with it. Finally, AFD is protected by delaying the completion of the delete event handler IRP until the AFD event handler has been called.

Affected Operating Systems All supported Windows O/S versions
Affected Databases All
Affected Guardium versions V8.x
Fixed in revision WINDOWS STAP r43443 or later

While this alert refers to an extremely rare race condition, to eliminate the risk of this issue in your environment, IBM strongly recommends that you upgrade Windows STAP to the latest available version on Fix Central at your earliest convenience.

Document information

More support for: IBM Security Guardium

Software version: 7.0, 8.0, 8.0.1

Operating system(s): Linux

Reference #: 1610177

Modified date: 18 October 2013

Translate this page: