Bug 42930 (CVE-2003-0956)

Summary: VUL-0: CVE-2003-0956: kernel: O_DIRECT exposes stale disk blocks
Product: [Novell Products] SUSE Security Incidents Reporter: Olaf Kirch <okir>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Critical    
Priority: P5 - None CC: krahmer, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2003-0956: CVSS v2 Base Score: 2.6 (AV:L/AC:H/Au:N/C:P/I:P/A:N)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 47333    
Attachments: Exploit from Stephen Tweedie. CONFIDENTIAL

Description Olaf Kirch 2003-07-15 18:44:19 UTC 
There is a race condition when two processes access a file at the same
time; one reading with O_DIRECT, the other writing to it. The reading
process will see random stale disk blocks.
Comment 1 Olaf Kirch 2003-07-15 18:44:19 UTC 
<!-- SBZ_reproduce  -->
See attached exploit.
Comment 2 Olaf Kirch 2003-07-15 18:45:11 UTC 
Created attachment 13106 [details]
Exploit from Stephen Tweedie. CONFIDENTIAL
Comment 3 Hubert Mantel 2003-07-15 22:08:32 UTC 
*** Bug 42934 has been marked as a duplicate of this bug. ***
Comment 4 Ralf Flaxa 2003-09-15 18:56:49 UTC 
Raising priority to critical. 
Any comments/progress on this Hubert? 
Shall we assign it to the security people?
Comment 5 Andrea Arcangeli 2003-09-22 21:08:35 UTC 
this was fixed in our tree months ago (possibly in SP2a too I think but I'm 
unsure).    
    
also the bug happened best by writing with O_DIRECT while reading with    
O_DIRECT AFIK.    
    
Now in current kernels it's all serialized by the i_alloc_sem.  
  
This has been fixed in mainline too (don't remeber by memory exactly which  
release though, I can check it if you need to know). But CVS head certainly 
it's just fixed, just grep for i_alloc_sem in mm/filemap.c, the fixed kernels 
will have i_alloc_sem there.
Comment 6 Ralf Flaxa 2003-09-23 16:19:35 UTC 
Assigning to security people to confirm this is fixed, at least for SP3.
Comment 7 Ihno Krumreich 2003-10-14 20:46:51 UTC 
Please comment the Status of this bug!
Comment 8 Ihno Krumreich 2003-10-15 22:22:48 UTC 
According to Hubert this fix is in 2.4.21 (At least for SP3 RC2) 
Andrea, can zou please confirm this? 
 
The bug remains open, because the fix has still to be done 
for the older kernels.
Comment 9 Andrea Arcangeli 2003-10-15 22:33:54 UTC 
yes, the filename of the patch that fixes the security problem is  
9999901_O_DIRECT-1 and it's included in SP3 (aka CVS head) but not in SP2a. 
  
the simpler way to verify if a kernel has the fix or not, is to grep for  
i_alloc_sem. If i_alloc_sem is in the sourcecode, then the kernel is safe and  
correct. If i_alloc_sem is missing, then the kernel is not safe.
Comment 10 Hubert Mantel 2003-10-17 16:28:49 UTC 
When SP3 is released, we really should also fix this problem for older kernels.
However the patch from current kernel does not apply to older versions.
Resolving the conflicts is not trivial, it needs to be done by somebody who
really understands the code. Andrea, can you do that? But only after SP3 is
released; we still have some quite severe problems here...
Comment 11 Hubert Mantel 2003-12-03 16:00:24 UTC 
Fixed.
Comment 12 Olaf Kirch 2003-12-03 16:56:53 UTC 
<!-- SBZ_reopen -->Reopened by okir@suse.de at Wed Dec  3 09:56:53 2003
Comment 13 Olaf Kirch 2003-12-03 16:56:53 UTC 
Reopened for security-team tracking
Comment 14 Thomas Biege 2004-01-06 03:05:50 UTC 
I think all kernels are released now. even the School Server isnt in the 
patch_status queue anymore.
Comment 15 Marcus Meissner 2007-03-24 15:55:52 UTC 
CVE-2003-0956
Comment 16 Thomas Biege 2009-10-13 19:37:33 UTC 
CVE-2003-0956: CVSS v2 Base Score: 2.6 (AV:L/AC:H/Au:N/C:P/I:P/A:N)