Bug 315051 (CVE-2007-5494)
Summary: | CVE-2007-5494 open(O_ATOMICLOOKUP) leaks dentry | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vasily Averin <vvs> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | Martin Jenner <mjenner> |
Severity: | high | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | anton, khorenko, kreilly, kseifried, osoukup |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-09-29 17:02:22 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 363461, 363471, 363481, 363491 | ||
Bug Blocks: |
Description
Vasily Averin
2007-10-02 06:37:04 UTC
compile the following testcase, run it in a cycle as a user and watch memory leaks via slabtop $ cat tst.c #include <errno.h> #include <fcntl.h> #include <stdio.h> #include <unistd.h> int main (int argc, char *argv[]) { open ("/proc/self/exe", O_RDONLY); open ("/proc/self/exe", O_RDONLY | 02000000); } Active / Total Objects (% used) : 2082610 / 2086261 (99.8%) Active / Total Slabs (% used) : 94487 / 94488 (100.0%) Active / Total Caches (% used) : 95 / 140 (67.9%) Active / Total Size (% used) : 360064.96K / 360385.06K (99.9%) Minimum / Average / Maximum Object : 0.01K / 0.17K / 128.00K OBJS ACTIVE USE OBJ SIZE SLABS OBJ/SLAB CACHE SIZE NAME 688286 688286 100% 0.13K 23734 29 94936K dentry_cache 682869 682869 100% 0.35K 62079 11 248316K proc_inode_cache 682558 682558 100% 0.04K 6758 101 27032K pid 3672 3642 99% 0.05K 51 72 204K buffer_head 3276 3166 96% 0.04K 39 84 156K sysfs_dir_cache 2576 2483 96% 0.08K 56 46 224K vm_area_struct 2424 2417 99% 0.48K 303 8 1212K ext3_inode_cache 2373 2373 100% 0.03K 21 113 84K size-32 1991 1974 99% 0.33K 181 11 724K inode_cache 1820 1800 98% 0.27K 130 14 520K radix_tree_node 1475 1295 87% 0.06K 25 59 100K size-64 1350 1350 100% 0.12K 45 30 180K size-128 1016 871 85% 0.01K 4 254 16K anon_vma 1008 817 81% 0.16K 42 24 168K filp 858 690 80% 0.05K 11 78 44K selinux_inode_security 736 648 88% 0.04K 8 92 32K Acpi-Operand 444 422 95% 2.00K 222 2 888K size-2048 376 376 100% 0.50K 47 8 188K size-512 375 375 100% 0.25K 25 15 100K size-256 360 294 81% 0.19K 18 20 72K skbuff_head_cache 360 301 83% 0.09K 9 40 36K bio 338 297 87% 0.02K 2 169 8K Acpi-Namespace 288 268 93% 0.43K 32 9 128K shmem_inode_cache 254 8 3% 0.01K 1 254 4K revoke_table 236 236 100% 0.06K 4 59 16K fs_cache Mark, it's tux, via linux-2.6-tux.patch, which introduces this: ... need_revalidate: + if (atomic) + return -EWOULDBLOCKIO; if (dentry->d_op->d_revalidate(dentry, nd)) goto done; if (d_invalidate(dentry)) that return forgets to drop the dentry -Eric told vendor-sec under embargo No other vendor said they were vulnerable to this. Description used in text: A memory leak was found in the Tux HTTP accelerator patch. A local user could use this flaw to cause a denial of service (memory exhaustion). (CVE-2007-5494) Removing embargo. All z-stream children bugs have been closed, future tracking bugs still open, parent is no longer needed. |