Linux Kernel routing_ioctl() Bug May Let Local Users Crash the System
|
|
SecurityTracker Alert ID: 1014944 |
|
SecurityTracker URL: http://securitytracker.com/id/1014944
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Updated: Sep 21 2005
|
Original Entry Date: Sep 21 2005
|
Impact:
Denial of service via local system
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 2.6 prior to 2.6.13.2
|
Description:
A vulnerability was reported in the Linux Kernel. A local user can cause denial of service conditions.
A local user can issue a large number of fget() calls such that a reference counter will overrun and a subsequent fput() call will cause the wrong resources to be freed. As a result, the kernel may crash.
64-bit Symmetric Multi-Processor (SMP) systems may be affected.
Vasiliy Averin discovered this vulnerability.
The 32-bit tiocgdev ioctl() function on x86-64 systems contains the same type of vulnerability.
|
Impact:
A local user can cause the kernel to crash.
|
Solution:
The vendor has issued a fixed version (2.6.13.2), available at:
http://kernel.org/
|
Vendor URL: www.kernel.org/ (Links to External Site)
|
Cause:
State error
|
Underlying OS:
|
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 21 Sep 2005 00:54:58 -0400
Subject: Linux kernel vulnerability
|
Fixed in 2.6.13.2
[PATCH] Lost sockfd_put() in routing_ioctl()
This patch adds lost sockfd_put() in 32bit compat rounting_ioctl() on
64bit platforms, bug found by Vasiliy Averin <vvs@sw.ru>.
I believe this is a security issues, since user can fget() file as many
times as he wants to. So file refcounter can be overlapped and first
fput() will free resources though there will be still structures
pointing to the file, mnt, dentry etc.
Also fput() sets f_dentry and f_vfsmnt to NULL,
so other file users will OOPS.
The oops can be done under files_lock and others, so this can be an
exploitable DoS on SMP. Didn't checked it on practice actually.
|
|
