oss-sec mailing list archives
Re: CVE request: kernel: splice local denial of service
From: Miklos Szeredi <mszeredi () suse cz>
Date: Tue, 02 Jun 2009 11:54:04 +0200
On Sat, 2009-05-30 at 03:36 -0400, Jon Oberheide wrote:
The deadlock can be reproduced easily (you might need to fork() a few
times to get an pipe inode allocation ptr less than the file inode ptr):
pipe(pfds);
snprintf(buf, sizeof(buf), "/tmp/%d", getpid());
fd = open(buf, O_RDWR | O_CREAT, S_IRWXU);
if (fork()) {
splice(pfds[0], NULL, fd, NULL, 1024, NULL);
} else{
sleep(1);
splice(pfds[0], NULL, fd, NULL, 1024, NULL);
}
However, the deadlock only affects the task attempting to acquire the
inode's i_mutex, so an attacker would require write access to a file
that is also written (or other fs op that acquires i_mutex) by some
victim process. That is, unless I've missed something. :-)
Some operations also take i_mutex on parent (open(O_CREAT), mkdir,
unlink, rmdir, rename, etc), and the order is always parent first. This
means, that if some task is holding i_mutex on /tmp/foo, then doing
unlink("/tmp/foo") will block while holding i_mutex on /tmp. Together
with the above deadlock it will prevent creation or removal of files
under /tmp, making the system pretty much unusable.
Thanks,
Miklos
Current thread:
- CVE request: kernel: splice local denial of service Marcus Meissner (May 29)
- Re: CVE request: kernel: splice local denial of service Jon Oberheide (May 30)
- Re: CVE request: kernel: splice local denial of service Miklos Szeredi (Jun 02)
- Re: CVE request: kernel: splice local denial of service Eugene Teo (Jun 02)
- Re: CVE request: kernel: splice local denial of service Steven M. Christey (Jun 06)
- Re: CVE request: kernel: splice local denial of service Miklos Szeredi (Jun 02)
- Re: CVE request: kernel: splice local denial of service Jon Oberheide (May 30)
