Red Hat Bugzilla – Bug 232267
kernel BUG at fs/locks.c:1799 - local DoS
Last modified: 2007-11-16 20:14:55 EST
Description of problem:
The kernel NFS client has a locking bug which causes the system to crash
via a BUG() at fs/locks.c:1799. This bug can be exploited by any local user
who as write access to an NFS mount.
Mandatory locking on a file on an NFS mount succeeds, but if the file mode is
changed while the lock is held, unlocking fails when the file handle is closed.
The bug is in fs/nfs/file.c function nfs_lock() and is fixed by the attached
patch, which is a partial backport from 2.6.12.
Version-Release number of selected component (if applicable):
All RHEL kernels based on 2.6.9 up to and including 2.6.9-42.0.10.EL.
Sample exploit code is attached below.
Steps to Reproduce:
int main(int argc, char** argv)
struct flock lck;
fd = open(argv, O_RDWR | O_CREAT, 0644);
memset(&lck, 0, sizeof(lck));
lck.l_type = F_WRLCK;
fcntl(fd, F_SETLK, &lck);
Run this code on a nonexistent file on an NFS mount.
System immediately crashes with kernel BUG at fs/locks.c:1799
A zero byte file is created with mode 0755.
It's been reported to me that the reproducer posted here does not reproduce this
issue. Setting to NEEDINFO until we have some to go on...
While there's very little info to go on here, I'm thinking this is probably a
dupe of bug #211092. A patch recently went in to fix that bz. Please reopen this
bug if this bug turns out to be a different issue.
*** This bug has been marked as a duplicate of 211092 ***