Bug 315051 (CVE-2007-5494)
| Summary: | CVE-2007-5494 open(O_ATOMICLOOKUP) leaks dentry | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vasily Averin <vvs> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | Martin Jenner <mjenner> |
| Severity: | high | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | anton, khorenko, kreilly, kseifried, osoukup |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-09-29 17:02:22 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 363461, 363471, 363481, 363491 | ||
| Bug Blocks: | |||
|
Description
Vasily Averin
2007-10-02 06:37:04 UTC
compile the following testcase, run it in a cycle as a user and watch memory
leaks via slabtop
$ cat tst.c
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
int
main (int argc, char *argv[])
{
open ("/proc/self/exe", O_RDONLY);
open ("/proc/self/exe", O_RDONLY | 02000000);
}
Active / Total Objects (% used) : 2082610 / 2086261 (99.8%)
Active / Total Slabs (% used) : 94487 / 94488 (100.0%)
Active / Total Caches (% used) : 95 / 140 (67.9%)
Active / Total Size (% used) : 360064.96K / 360385.06K (99.9%)
Minimum / Average / Maximum Object : 0.01K / 0.17K / 128.00K
OBJS ACTIVE USE OBJ SIZE SLABS OBJ/SLAB CACHE SIZE NAME
688286 688286 100% 0.13K 23734 29 94936K dentry_cache
682869 682869 100% 0.35K 62079 11 248316K proc_inode_cache
682558 682558 100% 0.04K 6758 101 27032K pid
3672 3642 99% 0.05K 51 72 204K buffer_head
3276 3166 96% 0.04K 39 84 156K sysfs_dir_cache
2576 2483 96% 0.08K 56 46 224K vm_area_struct
2424 2417 99% 0.48K 303 8 1212K ext3_inode_cache
2373 2373 100% 0.03K 21 113 84K size-32
1991 1974 99% 0.33K 181 11 724K inode_cache
1820 1800 98% 0.27K 130 14 520K radix_tree_node
1475 1295 87% 0.06K 25 59 100K size-64
1350 1350 100% 0.12K 45 30 180K size-128
1016 871 85% 0.01K 4 254 16K anon_vma
1008 817 81% 0.16K 42 24 168K filp
858 690 80% 0.05K 11 78 44K selinux_inode_security
736 648 88% 0.04K 8 92 32K Acpi-Operand
444 422 95% 2.00K 222 2 888K size-2048
376 376 100% 0.50K 47 8 188K size-512
375 375 100% 0.25K 25 15 100K size-256
360 294 81% 0.19K 18 20 72K skbuff_head_cache
360 301 83% 0.09K 9 40 36K bio
338 297 87% 0.02K 2 169 8K Acpi-Namespace
288 268 93% 0.43K 32 9 128K shmem_inode_cache
254 8 3% 0.01K 1 254 4K revoke_table
236 236 100% 0.06K 4 59 16K fs_cache
Mark, it's tux, via linux-2.6-tux.patch, which introduces this:
...
need_revalidate:
+ if (atomic)
+ return -EWOULDBLOCKIO;
if (dentry->d_op->d_revalidate(dentry, nd))
goto done;
if (d_invalidate(dentry))
that return forgets to drop the dentry
-Eric
told vendor-sec under embargo No other vendor said they were vulnerable to this. Description used in text: A memory leak was found in the Tux HTTP accelerator patch. A local user could use this flaw to cause a denial of service (memory exhaustion). (CVE-2007-5494) Removing embargo. All z-stream children bugs have been closed, future tracking bugs still open, parent is no longer needed. |