ID CVE-2009-1961
Summary The inode double locking code in fs/ocfs2/file.c in the Linux kernel 2.6.30 before 2.6.30-rc3, 2.6.27 before 2.6.27.24, 2.6.29 before 2.6.29.4, and possibly other versions down to 2.6.19 allows local users to cause a denial of service (prevention of file creation and removal) via a series of splice system calls that trigger a deadlock between the generic_file_splice_write, splice_from_pipe, and ocfs2_file_splice_write functions.
References
Vulnerable Configurations
  • cpe:2.3:o:linux:linux_kernel:2.6.27.1:*:*:*:*:*:*:*
    cpe:2.3:o:linux:linux_kernel:2.6.27.1:*:*:*:*:*:*:*
  • cpe:2.3:o:linux:linux_kernel:2.6.27.2:*:*:*:*:*:*:*
    cpe:2.3:o:linux:linux_kernel:2.6.27.2:*:*:*:*:*:*:*
  • cpe:2.3:o:linux:linux_kernel:2.6.27.3:*:*:*:*:*:*:*
    cpe:2.3:o:linux:linux_kernel:2.6.27.3:*:*:*:*:*:*:*
  • cpe:2.3:o:linux:linux_kernel:2.6.27.4:*:*:*:*:*:*:*
    cpe:2.3:o:linux:linux_kernel:2.6.27.4:*:*:*:*:*:*:*
  • cpe:2.3:o:linux:linux_kernel:2.6.27.10:*:*:*:*:*:*:*
    cpe:2.3:o:linux:linux_kernel:2.6.27.10:*:*:*:*:*:*:*
  • cpe:2.3:o:linux:linux_kernel:2.6.27.11:*:*:*:*:*:*:*
    cpe:2.3:o:linux:linux_kernel:2.6.27.11:*:*:*:*:*:*:*
  • cpe:2.3:o:linux:linux_kernel:2.6.27.12:*:*:*:*:*:*:*
    cpe:2.3:o:linux:linux_kernel:2.6.27.12:*:*:*:*:*:*:*
  • cpe:2.3:o:linux:linux_kernel:2.6.27.13:*:*:*:*:*:*:*
    cpe:2.3:o:linux:linux_kernel:2.6.27.13:*:*:*:*:*:*:*
  • cpe:2.3:o:linux:linux_kernel:2.6.27.14:*:*:*:*:*:*:*
    cpe:2.3:o:linux:linux_kernel:2.6.27.14:*:*:*:*:*:*:*
  • cpe:2.3:o:linux:linux_kernel:2.6.27.15:*:*:*:*:*:*:*
    cpe:2.3:o:linux:linux_kernel:2.6.27.15:*:*:*:*:*:*:*
  • cpe:2.3:o:linux:linux_kernel:2.6.27.16:*:*:*:*:*:*:*
    cpe:2.3:o:linux:linux_kernel:2.6.27.16:*:*:*:*:*:*:*
  • cpe:2.3:o:linux:linux_kernel:2.6.27.17:*:*:*:*:*:*:*
    cpe:2.3:o:linux:linux_kernel:2.6.27.17:*:*:*:*:*:*:*
  • cpe:2.3:o:linux:linux_kernel:2.6.27.18:*:*:*:*:*:*:*
    cpe:2.3:o:linux:linux_kernel:2.6.27.18:*:*:*:*:*:*:*
  • cpe:2.3:o:linux:linux_kernel:2.6.27.19:*:*:*:*:*:*:*
    cpe:2.3:o:linux:linux_kernel:2.6.27.19:*:*:*:*:*:*:*
  • cpe:2.3:o:linux:linux_kernel:2.6.27.20:*:*:*:*:*:*:*
    cpe:2.3:o:linux:linux_kernel:2.6.27.20:*:*:*:*:*:*:*
  • cpe:2.3:o:linux:linux_kernel:2.6.27.21:*:*:*:*:*:*:*
    cpe:2.3:o:linux:linux_kernel:2.6.27.21:*:*:*:*:*:*:*
  • cpe:2.3:o:linux:linux_kernel:2.6.27.22:*:*:*:*:*:*:*
    cpe:2.3:o:linux:linux_kernel:2.6.27.22:*:*:*:*:*:*:*
  • cpe:2.3:o:linux:linux_kernel:2.6.27.23:*:*:*:*:*:*:*
    cpe:2.3:o:linux:linux_kernel:2.6.27.23:*:*:*:*:*:*:*
  • cpe:2.3:o:linux:linux_kernel:2.6.29:git1:*:*:*:*:*:*
    cpe:2.3:o:linux:linux_kernel:2.6.29:git1:*:*:*:*:*:*
  • cpe:2.3:o:linux:linux_kernel:2.6.29:rc2_git7:*:*:*:*:*:*
    cpe:2.3:o:linux:linux_kernel:2.6.29:rc2_git7:*:*:*:*:*:*
  • cpe:2.3:o:linux:linux_kernel:2.6.29:rc8-kk:*:*:*:*:*:*
    cpe:2.3:o:linux:linux_kernel:2.6.29:rc8-kk:*:*:*:*:*:*
  • cpe:2.3:o:linux:linux_kernel:2.6.29.3:*:*:*:*:*:*:*
    cpe:2.3:o:linux:linux_kernel:2.6.29.3:*:*:*:*:*:*:*
  • cpe:2.3:o:linux:linux_kernel:2.6.29.rc1:*:*:*:*:*:*:*
    cpe:2.3:o:linux:linux_kernel:2.6.29.rc1:*:*:*:*:*:*:*
  • cpe:2.3:o:linux:linux_kernel:2.6.29.rc2:*:*:*:*:*:*:*
    cpe:2.3:o:linux:linux_kernel:2.6.29.rc2:*:*:*:*:*:*:*
  • cpe:2.3:o:linux:linux_kernel:2.6.29.rc2-git1:*:*:*:*:*:*:*
    cpe:2.3:o:linux:linux_kernel:2.6.29.rc2-git1:*:*:*:*:*:*:*
  • cpe:2.3:o:linux:linux_kernel:2.6.30:rc1:*:*:*:*:*:*
    cpe:2.3:o:linux:linux_kernel:2.6.30:rc1:*:*:*:*:*:*
  • cpe:2.3:o:linux:linux_kernel:2.6.30:rc2:*:*:*:*:*:*
    cpe:2.3:o:linux:linux_kernel:2.6.30:rc2:*:*:*:*:*:*
CVSS
Base: 1.9 (as of 19-03-2012 - 04:00)
Impact:
Exploitability:
CWE CWE-362
CAPEC
  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Access
VectorComplexityAuthentication
LOCAL MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
cvss-vector via4 AV:L/AC:M/Au:N/C:N/I:N/A:P
redhat via4
advisories
rhsa
id RHSA-2009:1157
refmap via4
bid 35143
confirm http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=7bfac9ecf0585962fe13584f5cf526d8c8e76f17
debian DSA-1844
mandriva
  • MDVSA-2009:135
  • MDVSA-2009:148
mlist
  • [oss-security] 20090529 CVE request: kernel: splice local denial of service
  • [oss-security] 20090530 Re: CVE request: kernel: splice local denial of service
  • [oss-security] 20090602 Re: CVE request: kernel: splice local denial of service
  • [oss-security] 20090603 Re: CVE request: kernel: splice local denial of service
sectrack 1022307
secunia
  • 35390
  • 35394
  • 35656
  • 35847
  • 36051
suse
  • SUSE-SA:2009:030
  • SUSE-SA:2009:031
  • SUSE-SA:2009:038
ubuntu USN-793-1
statements via4
contributor Tomas Hoger
lastmodified 2009-07-15
organization Red Hat
statement This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and 5. It was addressed in Red Hat Enterprise MRG via: https://rhn.redhat.com/errata/RHSA-2009-1157.html
Last major update 19-03-2012 - 04:00
Published 08-06-2009 - 01:00
Back to Top