Bug 570863 (CVE-2010-0727)
Summary: | CVE-2010-0727 kernel: bug in GFS/GFS2 locking code leads to dos | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Sachin Prabhu <sprabhu> | ||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | unspecified | CC: | adas, arozansk, bkahn, bmarzins, cfeist, dhoward, iannis, jkortus, kmcmartin, lsmid, lwang, plyons, pmatouse, rkhan, rpeterso, rwheeler, security-response-team, sghosh, swhiteho, tcallawa, vdanen | ||||||
Target Milestone: | --- | Keywords: | Security | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2015-06-24 13:08:14 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 571297, 571298, 571299, 571300, 571606, 572389, 572390, 572564 | ||||||||
Bug Blocks: | |||||||||
Attachments: |
|
Description
Sachin Prabhu
2010-03-05 17:39:10 UTC
Explanation: Using latest RHEL 5 code. 1) The file is locked using a posix lock. This is supported by GFS. 2) The mode of the file is then set to 02644, this sets the sgid bit but doesn't set the group execute bit. This mode is used to enforce mandatory locking. 3) When closing the file, the following code is called filp_close locks_remove_posix vfs_lock_file return filp->f_op->lock(filp, cmd, fl); This for a file on gfs is gfs2_lock static int gfs2_lock(struct file *file, int cmd, struct file_lock *fl) { .. if ((ip->i_inode.i_mode & (S_ISGID | S_IXGRP)) == S_ISGID) return -ENOLCK; .. } Thus, gfs2_lock() notices that the mode set on the file corresponds to the mandatory locks. At this stage, it quits with a ENOLCK. The posix lock thus is not cleared at this point. The close file continues. filp_close fput __fput locks_remove_flock At this stage, it goes through the locks to remove any remaining flocks. It is assumed that all posix locks have been removed by the code path explained above. However it hits this particular lock which was skipped above. At this stage, it fails with a bug. void locks_remove_flock(struct file *filp) { .. while ((fl = *before) != NULL) { if (fl->fl_file == filp) { if (IS_FLOCK(fl)) { locks_delete_lock(before); continue; } if (IS_LEASE(fl)) { lease_modify(before, F_UNLCK); continue; } /* What? */ BUG(); <-- fails here. } before = &fl->fl_next; } .. } Created attachment 398505 [details]
proposed patch
Check for mandatory locks should be ignored in case of unlock requests.
This is similar to the code which went into the NFS module.
I've verified the same issue exists on upstream. Created attachment 398546 [details]
Upstream patch (should do for RHEL6 as well)
Need fixes for GFS-kernel, gfs-kmod, and gfs2. Note that the upstream kernel needs the fix for gfs2 eventually. Patch submitted upstream: http://lkml.org/lkml/2010/3/11/269 This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0178 https://rhn.redhat.com/errata/RHSA-2010-0178.html This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0291 https://rhn.redhat.com/errata/RHSA-2010-0291.html This issue has been addressed in following products: GFS for RHEL 3 Via RHSA-2010:0330 https://rhn.redhat.com/errata/RHSA-2010-0330.html This issue has been addressed in following products: GFS for RHEL 4 Via RHSA-2010:0331 https://rhn.redhat.com/errata/RHSA-2010-0331.html This issue has been addressed in following products: Red Hat Enterprise Linux 5.4.Z - Server Only Via RHSA-2010:0380 https://rhn.redhat.com/errata/RHSA-2010-0380.html This issue has been addressed in following products: Red Hat Enterprise Linux 5.4.Z - Server Only Via RHSA-2010:0521 https://rhn.redhat.com/errata/RHSA-2010-0521.html Is there any reason to keep this bug record open? It's seen no activity for almost 5 years. (In reply to Robert Peterson from comment #46) > Is there any reason to keep this bug record open? > It's seen no activity for almost 5 years. No, closing. Thanks Robert. |