Bug 121931

Summary: VUL-0: kernel: CONFIG_AUDITSYSCALL memleak
Product: [openSUSE] SUSE LINUX 10.0 Reporter: Thomas Biege <thomas>
Component: KernelAssignee: Marcus Meissner <meissner>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: patch-request, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: CVE-2005-3181: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: auditfs-leak.patch

Description Thomas Biege 2005-10-10 10:28:55 UTC 
And another one which I am not sure we are vulnerable by it.


From: Chris Wright <chrisw@osdl.org>
To: vendor-sec@lst.de
User-Agent: Mutt/1.5.6i
Subject: [vendor-sec] (no subject)
Errors-To: vendor-sec-admin@lst.de
Date: Fri, 7 Oct 2005 15:46:16 -0700

Another memleak in kernel, this time when CONFIG_AUDITSYSCALL is enabled.
This one is upstream and public.

thanks,
-chris
--

From: Linus Torvalds <torvalds@g5.osdl.org>
Date: Fri, 7 Oct 2005 04:54:21 +0000 (-0700)
Subject:     Avoid 'names_cache' memory leak with CONFIG_AUDITSYSCALL
X-Git-Url:
http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=829841146878e082613a49581ae252c071057c23

Avoid 'names_cache' memory leak with CONFIG_AUDITSYSCALL

The nameidata "last.name" is always allocated with "__getname()", and
should always be free'd with "__putname()".

Using "putname()" without the underscores will leak memory, because the
allocation will have been hidden from the AUDITSYSCALL code.

Arguably the real bug is that the AUDITSYSCALL code is really broken,
but in the meantime this fixes the problem people see.

Reported by Robert Derr, patch by Rick Lindsley.

Acked-by: Al Viro <viro@ftp.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
---
---

--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1551,19 +1551,19 @@ do_link:
        if (nd->last_type != LAST_NORM)
                goto exit;
        if (nd->last.name[nd->last.len]) {
-               putname(nd->last.name);
+               __putname(nd->last.name);
                goto exit;
        }
        error = -ELOOP;
        if (count++==32) {
-               putname(nd->last.name);
+               __putname(nd->last.name);
                goto exit;
        }
        dir = nd->dentry;
        down(&dir->d_inode->i_sem);
        path.dentry = __lookup_hash(&nd->last, nd->dentry, nd);
        path.mnt = nd->mnt;
-       putname(nd->last.name);
+       __putname(nd->last.name);
        goto do_last;
 }

_______________________________________________
Comment 1 Marcus Meissner 2005-10-10 14:09:47 UTC 
for 10.0
Comment 2 Marcus Meissner 2005-10-10 14:10:27 UTC 
Created attachment 52083 [details]
auditfs-leak.patch
Comment 3 Marcus Meissner 2005-10-10 14:10:48 UTC 
hubert for 10.0 only. please apply
Comment 4 Thomas Biege 2005-10-12 06:33:36 UTC 
Candidate: CAN-2005-3181
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3181
Reference:
CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@4346883bQBeBd26syWTKX2CVC5bDcA

Linux kernel 2.6.13 and earlier, when CONFIG_AUDITSYSCALL is enabled,
uses an incorrect function to free names_cache memory, which prevents
the memory from being tracked by AUDITSYSCALL code and leads to a
memory leak.
Comment 5 Marcus Meissner 2005-11-11 15:55:32 UTC 
still needs applier for 10.0   -> mason day..
Comment 6 Chris L Mason 2005-11-14 05:57:37 UTC 
Ack, This will go in on Monday.  Marcus, comment #2 confuses me, does it really belong with this patch?
Comment 7 Marcus Meissner 2005-11-15 10:27:12 UTC 
comment #2 is bad and is the wrong patch, sorry... 

do you need the patch extracted?
Comment 8 Chris L Mason 2005-11-20 19:32:51 UTC 
This is now in cvs, sorry for the delay.
Comment 9 Marcus Meissner 2005-11-21 12:20:38 UTC 
thanks! assigning back to us for tracking.
Comment 10 Marcus Meissner 2005-12-09 10:45:03 UTC 
updates released for 10.0.
Comment 11 Thomas Biege 2009-10-13 21:41:17 UTC 
CVE-2005-3181: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P)