Bug 169130
| Summary: | CVE-2005-3356 double decrement of mqueue_mnt->mnt_count in sys_mq_open | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 4 | Reporter: | Doug Chapman <dchapman> | ||||
| Component: | kernel | Assignee: | Alexander Viro <aviro> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 4.0 | CC: | jbaron, security-response-team | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | reported=20050923,impact=important,source=redhat,public=20060114 | ||||||
| Fixed In Version: | RHSA-2006-0101 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2006-01-17 08:33:48 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 168429 | ||||||
| Attachments: |
|
||||||
Description of problem: The mq_open system call has some error paths that decrement mqueue_mnt->mnt_count twice causing the structure to be cleaned up which causes a panic. I am considering this a security sensitive bug because this can be triggered by ANY USER using a 1 line program (see attachment). I feel sys_mq_open needs to be rewritten to simplify the error paths. The problem is that when dentry_open fails it calls mntput() which decrements mqueue_mnt->mnt_count then sys_mq_open calls mntput() again for any errors. Some of these error paths came from dentry_open while some did not. I am seeing this on my HP ia64 systems however I do not believe it is archeture specific. Looking at the upstream 2.6.13.2 source I see sys_mq_open has not changed so it appears that this patch will be needed upstream as well. It does appear that fs/open.c on the 2.6.13.2 kernel has changed in the O_DIRECT path (which this reproducer exploits) so it is possible that this reproducer may not work there however since the error paths of sys_mq_open() have not changed I am certain there are other exploits that would trigger this (just possibly not the one liner I have come up with). The upstream kernels don't seem to be working on ia64 and I don't have other systems right now so I cannot verify. Version-Release number of selected component (if applicable): RHEL4-U2 kernel-2.6.9-20.EL (probably any 2.6.9 kernel as well) How reproducible: Every time. Steps to Reproduce: 1. cc mq_open_panic.c (see attachment) 2. ./a.out (as any user) Actual results: panic Expected results: test should report an error via perror Additional info: Created attachment 121455 [details]
Ack'd patch used for 2.6.9
committed in -22.0.2 Reported upstream and vendor-sec on 20060111 Public 20060114 http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=7c7dce9209161eb260cdf9e9172f72c3a02379e6 Removing embargo from bug details An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2006-0101.html |
Created attachment 119181 [details] simple reproducer