Bug 121931 - VUL-0: kernel: CONFIG_AUDITSYSCALL memleak
Summary: VUL-0: kernel: CONFIG_AUDITSYSCALL memleak
Status: RESOLVED FIXED
Alias: None
Product: SUSE LINUX 10.0
Classification: openSUSE
Component: Kernel (show other bugs)
Version: unspecified
Hardware: Other All
: P5 - None : Normal
Target Milestone: ---
Assignee: Marcus Meissner
QA Contact: E-mail List
URL:
Whiteboard: CVE-2005-3181: CVSS v2 Base Score: 2....
Keywords:
Depends on:
Blocks:
 
Reported: 2005-10-10 10:28 UTC by Thomas Biege
Modified: 2009-10-13 21:41 UTC (History)
2 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
auditfs-leak.patch (839 bytes, patch)
2005-10-10 14:10 UTC, Marcus Meissner 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2005-10-10 10:28:55 UTC 
And another one which I am not sure we are vulnerable by it.


From: Chris Wright <chrisw@osdl.org>
To: vendor-sec@lst.de
User-Agent: Mutt/1.5.6i
Subject: [vendor-sec] (no subject)
Errors-To: vendor-sec-admin@lst.de
Date: Fri, 7 Oct 2005 15:46:16 -0700

Another memleak in kernel, this time when CONFIG_AUDITSYSCALL is enabled.
This one is upstream and public.

thanks,
-chris
--

From: Linus Torvalds <torvalds@g5.osdl.org>
Date: Fri, 7 Oct 2005 04:54:21 +0000 (-0700)
Subject:     Avoid 'names_cache' memory leak with CONFIG_AUDITSYSCALL
X-Git-Url:
http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=829841146878e082613a49581ae252c071057c23

Avoid 'names_cache' memory leak with CONFIG_AUDITSYSCALL

The nameidata "last.name" is always allocated with "__getname()", and
should always be free'd with "__putname()".

Using "putname()" without the underscores will leak memory, because the
allocation will have been hidden from the AUDITSYSCALL code.

Arguably the real bug is that the AUDITSYSCALL code is really broken,
but in the meantime this fixes the problem people see.

Reported by Robert Derr, patch by Rick Lindsley.

Acked-by: Al Viro <viro@ftp.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
---
---

--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1551,19 +1551,19 @@ do_link:
        if (nd->last_type != LAST_NORM)
                goto exit;
        if (nd->last.name[nd->last.len]) {
-               putname(nd->last.name);
+               __putname(nd->last.name);
                goto exit;
        }
        error = -ELOOP;
        if (count++==32) {
-               putname(nd->last.name);
+               __putname(nd->last.name);
                goto exit;
        }
        dir = nd->dentry;
        down(&dir->d_inode->i_sem);
        path.dentry = __lookup_hash(&nd->last, nd->dentry, nd);
        path.mnt = nd->mnt;
-       putname(nd->last.name);
+       __putname(nd->last.name);
        goto do_last;
 }

_______________________________________________
Comment 1 Marcus Meissner 2005-10-10 14:09:47 UTC 
for 10.0
Comment 2 Marcus Meissner 2005-10-10 14:10:27 UTC 
Created attachment 52083 [details]
auditfs-leak.patch
Comment 3 Marcus Meissner 2005-10-10 14:10:48 UTC 
hubert for 10.0 only. please apply
Comment 4 Thomas Biege 2005-10-12 06:33:36 UTC 
Candidate: CAN-2005-3181
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3181
Reference:
CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@4346883bQBeBd26syWTKX2CVC5bDcA

Linux kernel 2.6.13 and earlier, when CONFIG_AUDITSYSCALL is enabled,
uses an incorrect function to free names_cache memory, which prevents
the memory from being tracked by AUDITSYSCALL code and leads to a
memory leak.
Comment 5 Marcus Meissner 2005-11-11 15:55:32 UTC 
still needs applier for 10.0   -> mason day..
Comment 6 Chris L Mason 2005-11-14 05:57:37 UTC 
Ack, This will go in on Monday.  Marcus, comment #2 confuses me, does it really belong with this patch?
Comment 7 Marcus Meissner 2005-11-15 10:27:12 UTC 
comment #2 is bad and is the wrong patch, sorry... 

do you need the patch extracted?
Comment 8 Chris L Mason 2005-11-20 19:32:51 UTC 
This is now in cvs, sorry for the delay.
Comment 9 Marcus Meissner 2005-11-21 12:20:38 UTC 
thanks! assigning back to us for tracking.
Comment 10 Marcus Meissner 2005-12-09 10:45:03 UTC 
updates released for 10.0.
Comment 11 Thomas Biege 2009-10-13 21:41:17 UTC 
CVE-2005-3181: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P)