Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 219901 (CVE-2008-1375) - Kernel: dnotify/close race condition DoS (CVE-2008-1375)
Summary: Kernel: dnotify/close race condition DoS (CVE-2008-1375)
Alias: CVE-2008-1375
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Whiteboard: [linux <] [linux >=2.6.25 <2....
: 216675 (view as bug list)
Depends on:
Reported: 2008-05-01 07:41 UTC by Robert Buchholz (RETIRED)
Modified: 2013-09-05 03:38 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-05-01 07:41:13 UTC
Fix dnotify/close race

We have a race between fcntl() and close() that can lead to
dnotify_struct inserted into inode's list *after* the last descriptor
had been gone from current->files.

Since that's the only point where dnotify_struct gets evicted, we are
screwed - it will stick around indefinitely.  Even after struct file in
question is gone and freed.  Worse, we can trigger send_sigio() on it at
any later point, which allows to send an arbitrary signal to arbitrary
process if we manage to apply enough memory pressure to get the page
that used to host that struct file and fill it with the right pattern...
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-05-01 07:44:30 UTC
*** Bug 216675 has been marked as a duplicate of this bug. ***
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-05-03 11:45:20 UTC
released in and
Comment 3 into-the-trash-it-goes 2009-07-20 18:44:22 UTC
hardened-kernel unaffected at present time. Removing alias.

PS: Anything using >=genpatches-2.6.25-3 is unaffected and, for 2.6.24, genpatches-2.6.24-8 is the first unaffected release.