Bug 171369 - CVE-2005-3271 posix-timers leak
Summary: CVE-2005-3271 posix-timers leak
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: kernel
Version: 3.0
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Ernie Petrides
QA Contact: Brian Brock
Whiteboard: public=20040917,impact=moderate
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2005-10-21 09:26 UTC by Mark J. Cox
Modified: 2007-11-30 22:07 UTC (History)
3 users (show)

Clone Of:
Last Closed: 2005-10-28 04:12:46 UTC

Attachments (Terms of Use)

Description Mark J. Cox 2005-10-21 09:26:38 UTC
CVE-2005-3271 states "Exec in Linux kernel 2.6 does not properly clear
posix-timers in multi-threaded environments, which results in a resource leak
and could allow a large number of multiple local users to cause a denial of
service by using more posix-timers than specified by the quota for a single user."

This code was included in RHEL3 due to a backport, in linux-2.4.20-o1-nptl.patch
and therefore may be vulnerable to this issue (needs investigation from kernel

This was originally fixed with this commit:
however the code got refactored shortly afterwards:

We currently do not have any more information on this issue, the CVE looks like
it has been created completely from the original commit message.

Comment 1 Ernie Petrides 2005-10-21 21:45:33 UTC
Looks to me like RHEL3 does have this vulnerability, although I'd
prefer to see it fixed without doing any signal struct rework as
is shown by the 2nd link above.  The upstream 2.6 signal data
struct handling is somewhat different from RHEL3, which is why
mucking around with that part would be too risky.  It might be
that the change shown by the 1st link is sufficient to address
the vulnerability.

PeterS, I'm tentatively assigning this to you, but I might have
some time next week to take this one on myself.

Comment 3 Ernie Petrides 2005-10-28 04:12:46 UTC
I've determined that the leaked data structures in 2.6 are used in the
implementation of POSIX.1b interval timers, which are instantiated with
the timer_create() system call.

RHEL3 does not support these timers nor their associated system calls,
and thus it is not vulnerable to this problem.

Closing as NOTABUG.

Note You need to log in before you can comment on or make changes to this bug.