Bug 171369 - CVE-2005-3271 posix-timers leak
CVE-2005-3271 posix-timers leak
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: kernel (Show other bugs)
3.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Ernie Petrides
Brian Brock
public=20040917,impact=moderate
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-10-21 05:26 EDT by Mark J. Cox (Product Security)
Modified: 2007-11-30 17:07 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-10-28 00:12:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mark J. Cox (Product Security) 2005-10-21 05:26:38 EDT
CVE-2005-3271 states "Exec in Linux kernel 2.6 does not properly clear
posix-timers in multi-threaded environments, which results in a resource leak
and could allow a large number of multiple local users to cause a denial of
service by using more posix-timers than specified by the quota for a single user."

This code was included in RHEL3 due to a backport, in linux-2.4.20-o1-nptl.patch
and therefore may be vulnerable to this issue (needs investigation from kernel
team).

This was originally fixed with this commit:
http://linux.bkbits.net:8080/linux-2.6/cset@414b332fsZQvEUsfzKJIo-q2_ZH0hg
however the code got refactored shortly afterwards:
http://linux.bkbits.net:8080/linux-2.6/cset@4174ac1exFxpMg163OsRuPZLQrlBKg

We currently do not have any more information on this issue, the CVE looks like
it has been created completely from the original commit message.
Comment 1 Ernie Petrides 2005-10-21 17:45:33 EDT
Looks to me like RHEL3 does have this vulnerability, although I'd
prefer to see it fixed without doing any signal struct rework as
is shown by the 2nd link above.  The upstream 2.6 signal data
struct handling is somewhat different from RHEL3, which is why
mucking around with that part would be too risky.  It might be
that the change shown by the 1st link is sufficient to address
the vulnerability.

PeterS, I'm tentatively assigning this to you, but I might have
some time next week to take this one on myself.
Comment 3 Ernie Petrides 2005-10-28 00:12:46 EDT
I've determined that the leaked data structures in 2.6 are used in the
implementation of POSIX.1b interval timers, which are instantiated with
the timer_create() system call.

RHEL3 does not support these timers nor their associated system calls,
and thus it is not vulnerable to this problem.

Closing as NOTABUG.

Note You need to log in before you can comment on or make changes to this bug.