Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 169130 - CVE-2005-3356 double decrement of mqueue_mnt->mnt_count in sys_mq_open
CVE-2005-3356 double decrement of mqueue_mnt->mnt_count in sys_mq_open
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
All Linux
medium Severity high
: ---
: ---
Assigned To: Alexander Viro
Brian Brock
: Security
Depends On:
Blocks: 168429
  Show dependency treegraph
Reported: 2005-09-23 10:28 EDT by Doug Chapman
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version: RHSA-2006-0101
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-01-17 03:33:48 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Ack'd patch used for 2.6.9 (3.37 KB, patch)
2005-11-24 10:47 EST, Mark J. Cox
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2005:808 normal SHIPPED_LIVE Important: kernel security update 2005-10-27 00:00:00 EDT
Red Hat Product Errata RHSA-2006:0101 normal SHIPPED_LIVE Important: kernel security update 2006-01-17 00:00:00 EST

  None (edit)
Description Doug Chapman 2005-09-23 10:28:03 EDT
Created attachment 119181 [details]
simple reproducer
Comment 1 Doug Chapman 2005-09-23 10:28:03 EDT
Description of problem:
The mq_open system call has some error paths that decrement
mqueue_mnt->mnt_count twice causing the structure to be cleaned up which causes
a panic.  I am considering this a security sensitive bug because this can be
triggered by ANY USER using a 1 line program (see attachment).

I feel sys_mq_open needs to be rewritten to simplify the error paths.  The
problem is that when dentry_open fails it calls mntput() which decrements
mqueue_mnt->mnt_count then sys_mq_open calls mntput() again for any errors. 
Some of these error paths came from dentry_open while some did not.

I am seeing this on my HP ia64 systems however I do not believe it is archeture

Looking at the upstream source I see sys_mq_open has not changed so it
appears that this patch will be needed upstream as well.

It does appear that fs/open.c on the kernel has changed in the O_DIRECT
path (which this reproducer exploits) so it is possible that this reproducer may
not work there however since the error paths of sys_mq_open() have not changed I
am certain there are other exploits that would trigger this (just possibly not
the one liner I have come up with).

The upstream kernels don't seem to be working on ia64 and I don't have other
systems right now so I cannot verify.

Version-Release number of selected component (if applicable):
kernel-2.6.9-20.EL (probably any 2.6.9 kernel as well)

How reproducible:
Every time.

Steps to Reproduce:
1. cc mq_open_panic.c (see attachment)
2. ./a.out (as any user)
Actual results:

Expected results:
test should report an error via perror

Additional info:
Comment 3 Mark J. Cox 2005-11-24 10:47:55 EST
Created attachment 121455 [details]
Ack'd patch used for 2.6.9
Comment 6 Jason Baron 2006-01-06 14:41:32 EST
committed in -22.0.2
Comment 9 Mark J. Cox 2006-01-16 03:58:48 EST
Reported upstream and vendor-sec on 20060111
Public 20060114


Removing embargo from bug details
Comment 10 Red Hat Bugzilla 2006-01-17 03:33:50 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.