Red Hat Bugzilla – Bug 169130
CVE-2005-3356 double decrement of mqueue_mnt->mnt_count in sys_mq_open
Last modified: 2007-11-30 17:07:20 EST
Created attachment 119181 [details]
Description of problem:
The mq_open system call has some error paths that decrement
mqueue_mnt->mnt_count twice causing the structure to be cleaned up which causes
a panic. I am considering this a security sensitive bug because this can be
triggered by ANY USER using a 1 line program (see attachment).
I feel sys_mq_open needs to be rewritten to simplify the error paths. The
problem is that when dentry_open fails it calls mntput() which decrements
mqueue_mnt->mnt_count then sys_mq_open calls mntput() again for any errors.
Some of these error paths came from dentry_open while some did not.
I am seeing this on my HP ia64 systems however I do not believe it is archeture
Looking at the upstream 184.108.40.206 source I see sys_mq_open has not changed so it
appears that this patch will be needed upstream as well.
It does appear that fs/open.c on the 220.127.116.11 kernel has changed in the O_DIRECT
path (which this reproducer exploits) so it is possible that this reproducer may
not work there however since the error paths of sys_mq_open() have not changed I
am certain there are other exploits that would trigger this (just possibly not
the one liner I have come up with).
The upstream kernels don't seem to be working on ia64 and I don't have other
systems right now so I cannot verify.
Version-Release number of selected component (if applicable):
kernel-2.6.9-20.EL (probably any 2.6.9 kernel as well)
Steps to Reproduce:
1. cc mq_open_panic.c (see attachment)
2. ./a.out (as any user)
test should report an error via perror
Created attachment 121455 [details]
Ack'd patch used for 2.6.9
committed in -22.0.2
Reported upstream and vendor-sec on 20060111
Removing embargo from bug details
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.