413936 – (CVE-2008-3275) VUL-0: CVE-2008-3275: kernel: VFS Memory leakage

Bug 413936 (CVE-2008-3275) - VUL-0: CVE-2008-3275: kernel: VFS Memory leakage

Summary: VUL-0: CVE-2008-3275: kernel: VFS Memory leakage

Status:	RESOLVED FIXED

Alias:	CVE-2008-3275

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other All

Priority:	P3 - Medium Severity: Major
Target Milestone:	unspecified
Assignee:	Greg Kroah-Hartman
QA Contact:	Security Team bot

URL:	http://
Whiteboard:	wasL3:30858 CVE-2008-3275: CVSS v2 Ba...
Keywords:	DSLA_REQUIRED, DSLA_SOLUTION_PROVIDED

Depends on:
Blocks:

Clone This Bug

Reported:	2008-08-01 14:50 UTC by LTC BugProxy
Modified:	2020-04-21 09:29 UTC (History)
CC List:	5 users (show)

See Also:	https://bugzilla.linux.ibm.com/show_bug.cgi?id=46885
Found By:	Third Party Developer/Partner
Services Priority:	800
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
backport patch for SLES10 SP2 kernel (2.6.16) (1.04 KB, text/plain) 2008-08-01 14:50 UTC, LTC BugProxy	Details
backport patch for SLES9 SP4 kernel (2.6.5-7) (1010 bytes, text/plain) 2008-08-06 02:10 UTC, LTC BugProxy	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description LTC BugProxy 2008-08-01 14:50:43 UTC

=Comment: #0=================================================
Edjunior Barbosa Machado <emachado@br.ibm.com> - 2008-07-31 16:06 EDT
---Problem Description---
Reading the LKML yesterday, I found a severe memory leakage in the VFS (EXT3),
which occurs on SLES10 SP2 (Probably on other version also). The problem happens
when trying to create a file in a dead directory. Since the directory doesn't
exist anymore, the code returns leaving the memory allocated, increasing the
file system disk usage as well.
 
The original thread is at http://lkml.org/lkml/2008/7/2/83.
 
Contact Information = Breno Leitao/brenohl@br.ibm.com; Edjunior
Machado/emachado@br.ibm.com
 
---uname output---
Linux gekko-lp1 2.6.16.60-0.21-ppc64 #1 SMP Tue May 6 12:41:02 UTC 2008 ppc64
ppc64 ppc64 GNU/Linux
 
Machine Type = POWER5
 
---Debugger---
A debugger is not configured
 
---Steps to Reproduce---
Run the following script: 

while true; do
       echo live
       for i in `seq 1 1000`
       do
               mkdir $i
               cd $i
               rmdir ../$i
               touch tmp &> /dev/null
               cd - &> /dev/null
       done;
done; 

 
---Kernel - Filesystem Component Data--- 
Stack trace output:
  no
 
Oops output:
  no
=Comment: #1=================================================
Edjunior Barbosa Machado <emachado@br.ibm.com> - 2008-07-31 16:09 EDT
After about 3 hours running the proposed script on a ppc64 machine running
kernel 2.6.16.60-0.21-ppc64, disk space usage increased from 30% to 69%
(~3.5GB), then seemed to stop increasing.
=Comment: #2=================================================
Edjunior Barbosa Machado <emachado@br.ibm.com> - 2008-08-01 08:25 EDT

backport patch for SLES10 SP2 kernel (2.6.16)

This patch was tested with the proposed script for about 15 hours in a ppc64
machine running SLES10 SP2 and it fixed the issue. The disk space and memory
usage seemed OK when applied this patch.

Comment 1 LTC BugProxy 2008-08-01 14:50:49 UTC

Created attachment 231315 [details]
backport patch for SLES10 SP2 kernel (2.6.16)

Comment 2 LTC BugProxy 2008-08-01 15:00:50 UTC

------- Comment From emachado@br.ibm.com 2008-08-01 10:54 EDT-------
The fix was already committed to mainline:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d70b67c8bc72ee23b55381bd6a884f4796692f77

Comment 3 Greg Kroah-Hartman 2008-08-01 18:04:16 UTC

As we don't have UBIFS, how is this error path ever hit to be relevant for SLE10?

Comment 4 LTC BugProxy 2008-08-01 21:00:41 UTC

------- Comment From emachado@br.ibm.com 2008-08-01 16:52 EDT-------
(In reply to comment #8)
> ------- Comment From gregkh@novell.com 2008-08-01 12:04:16 MDT-------
> As we don't have UBIFS, how is this error path ever hit to be relevant for SLE10?

It seems to be an issue that affects the VFS layer. This error was reproduced on
SLES10 SP2 using ext3 filesystem.

Comment 5 Greg Kroah-Hartman 2008-08-01 22:14:41 UTC

Your script above does not reproduce anything that I can see.  The memory used by the vfs will be released when there is memory pressure to do so, which is correct.

It is only in the case of UBIFS that this is a problem, due to the way it interacts with the vfs, ext3 should have no problem at all.

Comment 6 LTC BugProxy 2008-08-02 19:30:35 UTC

------- Comment From emachado@br.ibm.com 2008-08-02 15:30 EDT-------
After about 19 hours running the aforementioned script on a ppc64 machine with
SLES10 SP2 (running kernel 2.6.16.60-0.21-ppc64 and using ext3 fs), the disk
usage increased from 9% to 61% (aprox. 17 GB). Then, the system complained about
"no space left on device", even with 'df' reporting 13 GB available. Also, dmesg
didn't show nothing strange.

Here are the outputs before:

perfsqh2:~ # df
Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/sdb1             34985600   2765364  30442832   9% /
udev                 234623020       128 234622892   1% /dev

perfsqh2:~ # vmstat
procs -----------memory---------- ---swap-- -----io---- -system-- -----cpu------
r  b   swpd   free   buff  cache   si   so    bi    bo   in   cs us sy id wa st
0  0      0 468884032   4908  29016    0    0     1     0    1    5  0  0 100  0  0

and after the test:

perfsqh2:~ # df
Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/sdb1             34985600  20095312  13112884  61% /
udev                 234623020       128 234622892   1% /dev

perfsqh2:~ # vmstat
procs -----------memory---------- ---swap-- -----io---- -system-- -----cpu------
r  b   swpd   free   buff  cache   si   so    bi    bo   in   cs us sy id wa st
0  1      0 445145664 18008624  22496    0    0     0    10    1    5  0  0 99
0  0

Novell, if you need some additional info, please let me know.
Thanks in advance.

Comment 7 Greg Kroah-Hartman 2008-08-04 23:06:06 UTC

reopening...

Comment 8 Greg Kroah-Hartman 2008-08-04 23:08:41 UTC

Ok, sorry for the noise, this does look real.

Security, consider this public.

Comment 9 Greg Kroah-Hartman 2008-08-05 00:30:55 UTC

Commited to:
  SLE10 SP1
  SLE10 SP2
  10.3
  11.0

Are there any other kernels it should be applied to?
Is SLE9 an issue here?

Comment 10 Thomas Biege 2008-08-05 09:37:12 UTC

(In reply to comment #9 from Greg Kroah-Hartman)
> Commited to:
>   SLE10 SP1
>   SLE10 SP2
>   10.3
>   11.0

Thanks.

> Are there any other kernels it should be applied to?
> Is SLE9 an issue here?

Yes, we still support SLES9, if it is affected it should also get the patches.

Comment 11 LTC BugProxy 2008-08-05 13:10:50 UTC

------- Comment From emachado@br.ibm.com 2008-08-05 09:07 EDT-------
(In reply to comment #13)
> ------- Comment From gregkh@novell.com 2008-08-04 18:30:55 MDT-------
> Are there any other kernels it should be applied to?
> Is SLE9 an issue here?

Yes, this problem also can be found on SLES9 SP4 (kernel 2.6.5-7). A backport
patch will be sent soon.

Comment 12 Greg Kroah-Hartman 2008-08-05 16:33:12 UTC

This is now CVE-2008-3275

Thomas, should we also fix SLE 8?  2.4 is also affected here.

Comment 13 Greg Kroah-Hartman 2008-08-05 16:34:45 UTC

Oh, and do we also care about 10.2 and/or 10.1?

Comment 14 LTC BugProxy 2008-08-06 02:10:43 UTC

Created attachment 231906 [details]
backport patch for SLES9 SP4 kernel (2.6.5-7)

This patch was tested for about 2 hours with the proposed script in a ppc64
machine and the problem seemed to be fixed for SLES9 SP4.

Comment 15 Thomas Biege 2008-08-06 07:46:14 UTC

(In reply to comment #12 from Greg Kroah-Hartman)
> This is now CVE-2008-3275
> 
> Thomas, should we also fix SLE 8?  2.4 is also affected here.
> 

When I interpret the rules for the "extended maintenance" of sles8 correctly we do not need to provide a fix.
Putting the patch in the sles8 branch of the kernel tree would be a good idea; a future update will contain the fix then.

The affected box products 10.2-11.0 have to be fixed too, yes.

Comment 16 Marcus Meissner 2008-08-22 09:40:54 UTC

so the fix for 10.2 is missing when I read the comments right.

Comment 17 LTC BugProxy 2008-08-22 12:20:46 UTC

------- Comment From emachado@br.ibm.com 2008-08-22 08:18 EDT-------
(In reply to comment #20)
> ------- Comment From meissner@novell.com 2008-08-22 03:40:54 MDT-------
> so the fix for 10.2 is missing when I read the comments right.

Hi Novell,
a backport patch against SLES10 SP2 kernel (2.6.16) was already attached, as
well as a fix for SLES9 SP4 kernel (2.6.5-7).

Comment 18 Ludwig Nussel 2008-09-19 07:30:20 UTC

setting default priority for all VUL-0 bugs

Comment 19 Marcus Meissner 2008-10-01 12:56:28 UTC

This bug was mentioned/fixed in the just released SLES 10 SP2 kernel update,
version 2.6.16.60-0.29 (all but x86_64) and 2.6.16.60-0.30 (x86_64).

Comment 20 Marcus Meissner 2008-10-01 15:11:18 UTC

This bugfix was mentioned/released today for SLES 10 SP1 with an updated
kernel which has version 2.6.16.54-0.2.10 (all but x86_64) and 2.6.16.54-0.2.11
(for x86_64).

Comment 21 LTC BugProxy 2008-11-06 13:42:11 UTC

------- Comment From emachado@linux.vnet.ibm.com 2008-08-01 10:54 EDT-------


------- Comment From emachado@linux.vnet.ibm.com 2008-08-01 16:52 EDT-------



------- Comment From emachado@linux.vnet.ibm.com 2008-08-02 15:30 EDT-------














------- Comment From emachado@linux.vnet.ibm.com 2008-08-05 09:07 EDT-------






------- Comment From emachado@linux.vnet.ibm.com 2008-08-22 08:18 EDT-------


------- Comment From emachado@linux.vnet.ibm.com 2008-11-06 08:31 EDT-------
(In reply to comment #23)
> ------- Comment From meissner@novell.com 2008-10-01 06:56:28 MDT-------
> This bug was mentioned/fixed in the just released SLES 10 SP2 kernel update,
> version 2.6.16.60-0.29 (all but x86_64) and 2.6.16.60-0.30 (x86_64).
>

I've just retested this on ppc64 running SLES10 SP2 with kernel 2.6.16.60-0.31-ppc64 and it seems the bug was fixed. After about 17 hours running the proposed script, disk space and memory usage are OK.
Thanks Novell for your support.

Comment 22 LTC BugProxy 2008-11-07 20:51:59 UTC

------- Comment From emachado@linux.vnet.ibm.com 2008-11-07 15:43 EDT-------
(In reply to comment #24)
> ------- Comment From meissner@novell.com 2008-10-01 09:11:18 MDT-------
> This bugfix was mentioned/released today for SLES 10 SP1 with an updated
> kernel which has version 2.6.16.54-0.2.10 (all but x86_64) and 2.6.16.54-0.2.11
> (for x86_64).
>

Retested during about 8 hours in a ppc64 machine running SLES10 SP1 and kernel 2.6.16.54-0.2.10-ppc64 and it seemed fixed. So, I'm closing this issue.
Thanks.

Comment 23 Greg Kroah-Hartman 2008-11-26 04:37:13 UTC

closing as it should all now be fixed.

Comment 24 Thomas Biege 2009-10-14 01:12:12 UTC

CVE-2008-3275: CVSS v2 Base Score: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C)

Comment 30 Michal Hocko 2010-03-01 13:05:11 UTC

The fix never found its way to sles9sp4 branch AFAICS. Should I commit it now?

Comment 31 Jiri Kosina 2010-03-19 13:17:41 UTC

Yes, please go ahead. Thanks!

Comment 32 Michal Hocko 2010-03-19 13:35:52 UTC

Done.
I think we can close this.

Comment 33 Swamp Workflow Management 2010-08-26 16:59:18 UTC

Update released for: kernel-bigsmp, kernel-bigsmp-debug, kernel-debug, kernel-debug-debug, kernel-default, kernel-default-debug, kernel-smp, kernel-smp-debug, kernel-source, kernel-syms, kernel-um, kernel-um-debug, kernel-xen, kernel-xen-debug, kernel-xenpae, kernel-xenpae-debug, um-host-install-initrd, um-host-kernel, xen-kmp, kernel-update.ycp, install-kernel-non-interactive.sh
Products:
Novell-Linux-POS 9 (i386)
SUSE-CORE 9 (i386)

Comment 34 Swamp Workflow Management 2010-08-26 17:03:54 UTC

Update released for: kernel-s390x, kernel-s390x-debug, kernel-source, kernel-syms, um-host-kernel, kernel-update.ycp, install-kernel-non-interactive.sh
Products:
SUSE-CORE 9 (s390x)

Comment 35 Swamp Workflow Management 2010-08-26 17:09:32 UTC

Update released for: kernel-64k-pagesize, kernel-64k-pagesize-debug, kernel-debug, kernel-debug-debug, kernel-default, kernel-default-debug, kernel-sn2, kernel-sn2-debug, kernel-source, kernel-syms, um-host-kernel, kernel-update.ycp, install-kernel-non-interactive.sh
Products:
SUSE-CORE 9 (ia64)

Comment 36 Swamp Workflow Management 2010-08-26 17:15:20 UTC

Update released for: kernel-default, kernel-default-debug, kernel-iseries64, kernel-iseries64-debug, kernel-pmac64, kernel-pmac64-debug, kernel-pseries64, kernel-pseries64-debug, kernel-smp, kernel-smp-debug, kernel-source, kernel-syms, um-host-kernel, kernel-update.ycp, install-kernel-non-interactive.sh
Products:
SUSE-CORE 9 (ppc)

Comment 37 Swamp Workflow Management 2010-08-26 17:20:18 UTC

Update released for: kernel-s390, kernel-s390-debug, kernel-source, kernel-syms, um-host-kernel, kernel-update.ycp, install-kernel-non-interactive.sh
Products:
SUSE-CORE 9 (s390)

Comment 38 Swamp Workflow Management 2010-08-27 11:56:18 UTC

Update released for: kernel-bigsmp, kernel-bigsmp-debug, kernel-debug, kernel-debug-debug, kernel-default, kernel-default-debug, kernel-smp, kernel-smp-debug, kernel-source, kernel-syms, kernel-um, kernel-um-debug, kernel-xen, kernel-xen-debug, kernel-xenpae, kernel-xenpae-debug, um-host-install-initrd, um-host-kernel, xen-kmp
Products:
Open-Enterprise-Server 9 (i386)

Comment 39 Swamp Workflow Management 2010-08-31 16:07:05 UTC

Update released for: kernel-default, kernel-default-debug, kernel-smp, kernel-smp-debug, kernel-source, kernel-syms, kernel-xen, kernel-xen-debug, um-host-kernel, xen-kmp, kernel-update.ycp, install-kernel-non-interactive.sh
Products:
SUSE-CORE 9 (x86_64)