'Re: [oss-security] CVE request: kernel: splice local denial of'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: kernel: splice local denial of
From:       Jon Oberheide <jon () oberheide ! org>
Date:       2009-05-30 7:36:30
Message-ID: 1243668990.14601.21.camel () localhost
[Download RAW message or body]


The deadlock can be reproduced easily (you might need to fork() a few
times to get an pipe inode allocation ptr less than the file inode ptr):

    pipe(pfds);
    snprintf(buf, sizeof(buf), "/tmp/%d", getpid());
    fd = open(buf, O_RDWR | O_CREAT, S_IRWXU);

    if (fork()) {
        splice(pfds[0], NULL, fd, NULL, 1024, NULL);
    } else{
        sleep(1);
        splice(pfds[0], NULL, fd, NULL, 1024, NULL);
    }

However, the deadlock only affects the task attempting to acquire the
inode's i_mutex, so an attacker would require write access to a file
that is also written (or other fs op that acquires i_mutex) by some
victim process.  That is, unless I've missed something. :-)

Regards,
Jon Oberheide

On Fri, 2009-05-29 at 17:20 +0200, Marcus Meissner wrote:
> Hi oss-sec,
> 
> CVE Request for a local denial kernel issue....
> 
> The splice(2) syscall has received some fixes against local deadlocks.
> 
> 2.6.30-rc3 is fixed,
> 2.6.27.24 is fixed, and
> 2.6.29.4 is fixed.
> 
> The inode double locking code was introduced in 2.6.19, so I guess earlier
> kernel versions are not affected. (Miklos?)
> 
> Its as far as I understand this set of changes in mainline:
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=7bfac9ecf0585962fe13584f5cf526d8c8e76f17
>  (this one with description of issue)
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=b3c2d2ddd63944ef2a1e4a43077b602288107e01
>  http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=2933970b960223076d6affcf7a77e2bc546b8102
>  http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=eb443e5a25d43996deb62b9bcee1a4ce5dea2ead
>  http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=328eaaba4e41a04c1dc4679d65bea3fee4349d86
>  
> Ciao, Marcus
-- 
Jon Oberheide <jon@oberheide.org>
GnuPG Key: 1024D/F47C17FE
Fingerprint: B716 DA66 8173 6EDD 28F6  F184 5842 1C89 F47C 17FE


["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic