Bug 342685 (CVE-2007-5494) - VUL-0: CVE-2007-5494: kernel: open(O_ATOMICLOOKUP) leaks dentry
Summary: VUL-0: CVE-2007-5494: kernel: open(O_ATOMICLOOKUP) leaks dentry
Status: RESOLVED INVALID
Alias: CVE-2007-5494
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Normal
Target Milestone: ---
Assignee: E-mail List
QA Contact: Security Team bot
URL:
Whiteboard: CVE-2007-5494: CVSS v2 Base Score: 4....
Keywords:
Depends on:
Blocks:
 
Reported: 2007-11-19 11:44 UTC by Thomas Biege
Modified: 2021-08-11 09:11 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2007-11-19 11:44:40 UTC 
Hi.
There is a security bug in 'kernel'.

This information is from 'vendor-sec'.

This bug is NOT PUBLIC.

There is no coordinated release date (CRD) set.

More information can be found here:
	https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec

CVE number: CVE-2007-5494
CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5494


Original posting:



----- Forwarded message from Mark J Cox <mjc@redhat.com> -----

From: Mark J Cox <mjc@redhat.com>
To: vendor-sec@lst.de
Subject: [vendor-sec] CVE-2007-5494 open(O_ATOMICLOOKUP) leaks dentry [embargoed]
Errors-To: vendor-sec-admin@lst.de
Date: Mon, 19 Nov 2007 09:10:34 +0000 (GMT)

Vasily Averin reported to us under embargo an issue where 
open(O_ATOMICLOOKUP) leaks the dentry on the filesystems where 
d_revalidate is implemented.  This was found to be caused by our tux 
patch, and upstream is not affected.  If anyone here is using the tux 
patch and is affected by this please let me know so we can come up with 
the embargo date.

Testcase: run it in a cycle as a user and watch memory leaks via slabtop

#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>

int
main (int argc, char *argv[])
{
        open ("/proc/self/exe", O_RDONLY);
        open ("/proc/self/exe", O_RDONLY | 02000000);
}

Cause of bug is in our tux patch which adds:

...
need_revalidate:
+       if (atomic)
+               return -EWOULDBLOCKIO;
        if (dentry->d_op->d_revalidate(dentry, nd))
                goto done;
        if (d_invalidate(dentry))

Thanks, Mark
--
Mark J Cox / Red Hat Security Response Team
_______________________________________________
Vendor Security mailing list
Vendor Security@lst.de
https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec

----- End forwarded message -----

-- 
Bye,
     Thomas
-- 
 Thomas Biege <thomas@suse.de>, SUSE LINUX, Security Support & Auditing
 SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
-- 
	Die meisten Menschen wenden mehr Zeit und Kraft auf,
	um Probleme herumzureden, als sie anzupacken...
					-- Henry Ford I.
Comment 1 Marcus Meissner 2007-11-19 11:57:40 UTC 
"This was found to be caused by our tux 
patch, and upstream is not affected."

We do not include the TUX patch.
Comment 2 Thomas Biege 2009-10-14 00:15:44 UTC 
CVE-2007-5494: CVSS v2 Base Score: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C)