oss-sec mailing list archives

CVE request -- kernel: cifs: dentry refcount leak when opening a FIFO on lookup leads to panic on unmount

From: Petr Matousek <pmatouse () redhat com>
Date: Tue, 28 Feb 2012 16:15:02 +0100

The cifs code will attempt to open files on lookup under certain
circumstances. What happens though if we find that the file we opened
was actually a FIFO or other special file? Currently, the open
filehandle just ends up being leaked leading to a dentry refcount
mismatch and oops on umount.

An unprivileged local user could use this flaw to crash the system.

Introduced by:
a6ce4932fbdbcd8f8e8c6df76812014351c32892 (Linux kernel 2.6.31)

Proposed upstream patch:
http://thread.gmane.org/gmane.linux.kernel.cifs/5526

References:
https://bugzilla.redhat.com/show_bug.cgi?id=798293
http://thread.gmane.org/gmane.linux.kernel.cifs/5526

Thanks,
-- 
Petr Matousek / Red Hat Security Response Team

Current thread:

CVE request -- kernel: cifs: dentry refcount leak when opening a FIFO on lookup leads to panic on unmount Petr Matousek (Feb 28)
- Re: CVE request -- kernel: cifs: dentry refcount leak when opening a FIFO on lookup leads to panic on unmount Kurt Seifried (Feb 28)