Wind River Support Network

HomeOther DownloadsSecurity Advisory - Linux Kernel - CVE-2008-1375
Recommended Type: Patch

Security Advisory - Linux Kernel - CVE-2008-1375

Released: May 7, 2008     Updated: May 7, 2008


The Function fcntl_dirnotify() adds an element to inode->i_dnotify. It contains a reference to struct file and to struct files_struct (both not contributing to refcounts).

filp_close() (called when reference to file is removed from descriptor table) purges element with file/descriptor table in question from ->i_dnotify.

The problem is, fcntl() can create a race condition with close() from another thread, inserting element after close() is finished. If that happens, it is stuck there forever, long after the struct file it refers to had been freed/reused/etc.

Having the (in-core) inode freed and reused doesn't clean it up - "->i_dnotify is empty on allocated inode" is guaranteed by slab constructor; freeing and reallocating won't touch it at all, since the list must have been emptied before we'd dropped the final reference to inode. IDENTIFIER = WIND00121877

Product Version

Linux Platforms 2.0, Linux Platforms 1.x


Installation Notes

Installation Notes for 1.4 for 1.5 for 2.0

1. Unzip the patch under [install_dir]/updates

2. Install the patch CD by entering the patch CD directory and run setup_linux.

3. This is a source only patch so you will have to build the kernel

4. Issue a make fs and make the kernel in a configured directory.

5. Upload the kernel and rootfs into the target and boot it up.

Live chat