Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 30 May 2009 03:36:30 -0400
From: Jon Oberheide <>
Subject: Re: CVE request: kernel: splice local denial of

The deadlock can be reproduced easily (you might need to fork() a few
times to get an pipe inode allocation ptr less than the file inode ptr):

    snprintf(buf, sizeof(buf), "/tmp/%d", getpid());
    fd = open(buf, O_RDWR | O_CREAT, S_IRWXU);

    if (fork()) {
        splice(pfds[0], NULL, fd, NULL, 1024, NULL);
    } else{
        splice(pfds[0], NULL, fd, NULL, 1024, NULL);

However, the deadlock only affects the task attempting to acquire the
inode's i_mutex, so an attacker would require write access to a file
that is also written (or other fs op that acquires i_mutex) by some
victim process.  That is, unless I've missed something. :-)

Jon Oberheide

On Fri, 2009-05-29 at 17:20 +0200, Marcus Meissner wrote:
> Hi oss-sec,
> CVE Request for a local denial kernel issue....
> The splice(2) syscall has received some fixes against local deadlocks.
> 2.6.30-rc3 is fixed,
> is fixed, and
> is fixed.
> The inode double locking code was introduced in 2.6.19, so I guess earlier
> kernel versions are not affected. (Miklos?)
> Its as far as I understand this set of changes in mainline:
> (this one with description of issue)
> Ciao, Marcus
Jon Oberheide <>
GnuPG Key: 1024D/F47C17FE
Fingerprint: B716 DA66 8173 6EDD 28F6  F184 5842 1C89 F47C 17FE

Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ