Bug 457858 (CVE-2008-3275)

Summary: CVE-2008-3275 Linux kernel local filesystem DoS
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dhoward, jpirko, lgoncalv, lwang, qcai, vgoyal, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-23 21:47:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 457859, 457860, 457861, 457862, 457863, 457864, 457865, 457866    
Bug Blocks:    
Attachments:
Description Flags
Upstream patch for this issue
none
Proposed backported patch for RHEL-4.8
none
Proposed backported patch for RHEL-5.3 none

Description Eugene Teo (Security Response) 2008-08-05 02:10:17 UTC 
Description of problem:
Zoltan Sogor noticed this VFS behaviour while testing UBIFS. Lookup can install a child dentry for a deleted directory. This keeps the directory dentry alive, and the inode pinned in the cache and on disk, even after all external references have gone away.

This isn't a big problem normally, since memory pressure or umount will clear out the directory dentry and its children, releasing the inode. But for UBIFS this causes problems because its orphan area can overflow.

http://lkml.org/lkml/2008/7/2/83
http://www.linux-mtd.infradead.org/doc/ubifs.html
Comment 1 Eugene Teo (Security Response) 2008-08-05 02:12:42 UTC 
Proposed upstream patch:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d70b67c8bc72ee23b55381bd6a884f4796692f77
Comment 2 Eugene Teo (Security Response) 2008-08-05 02:13:43 UTC 
Created attachment 313417 [details]
Upstream patch for this issue
Comment 6 Eugene Teo (Security Response) 2008-08-06 02:27:20 UTC 
Created attachment 313514 [details]
Proposed backported patch for RHEL-4.8
Comment 7 Eugene Teo (Security Response) 2008-08-06 02:28:12 UTC 
Created attachment 313515 [details]
Proposed backported patch for RHEL-5.3
Comment 9 Linda Wang 2008-08-19 22:20:36 UTC 
*** Bug 457812 has been marked as a duplicate of this bug. ***
Comment 12 Vincent Danen 2010-12-23 21:47:43 UTC 
This was addressed via:

Red Hat Linux Advanced Workstation 2.1 (RHSA-2008:0787)
MRG Realtime for RHEL 5 Server (RHSA-2008:0857)
Red Hat Enterprise Linux version 5 (RHSA-2008:0885)
Red Hat Enterprise Linux version 3 (RHSA-2008:0973)
Red Hat Enterprise Linux version 2.1 (RHSA-2009:0001)
Red Hat Enterprise Linux version 4 (RHSA-2009:0014)