Bug 488935 (CVE-2009-0935)

Summary: CVE-2009-0935 kernel: inotify local DoS
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bhu, lgoncalv, tao, vanhoof, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-05-15 01:37:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 489259, 489260, 489261    
Bug Blocks:    
Attachments:
Description Flags
Upstream patch none

Description Eugene Teo (Security Response) 2009-03-06 09:29:11 UTC 
Description of problem:
If userspace supplies an invalid pointer to a read() of an inotify instance, the inotify device's event list mutex is unlocked twice. This causes an unbalance which effectively leaves the data structure unprotected, and we can trigger oopses by accessing the inotify instance from different tasks concurrently.

http://patchwork.kernel.org/patch/4857/
Comment 1 Eugene Teo (Security Response) 2009-03-06 09:58:44 UTC 
Created attachment 334277 [details]
Upstream patch

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=3632dee2f8b8a9720329f29eeaa4ec4669a3aff8
Comment 17 Eugene Teo (Security Response) 2009-03-19 04:18:18 UTC 
CVSS2 score of medium, 4.7 (AV:L/AC:M/Au:N/C:N/I:N/A:C)