Description
The (1) real_lookup and (2) __lookup_hash functions in fs/namei.c in the vfs implementation in the Linux kernel before 2.6.25.15 do not prevent creation of a child dentry for a deleted (aka S_DEAD) directory, which allows local users to cause a denial of service ("overflow" of the UBIFS orphan area) via a series of attempted file creations within deleted directories.
CVSS breakdown
CVSS 3.1
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Affected products
- Canonical / Ubuntu Linux8.04 – 8.04
- Canonical / Ubuntu Linux6.06 – 6.06
- Canonical / Ubuntu Linux7.04 – 7.04
- Canonical / Ubuntu Linux7.10 – 7.10
- Debian / debian_linux4.0 – 4.0
- Linux / Linux kernel2.6.25.15
- SUSE / suse_linux_enterprise_desktop10 – 10
- SUSE / SUSE Linux Enterprise Server10 – 10
References
- VENDOR_ADVISORYhttp://www.debian.org/security/2008/dsa-1630
- MISChttp://www.redhat.com/support/errata/RHSA-2008-0885.html
- VENDOR_ADVISORYhttps://usn.ubuntu.com/637-1/
- MISChttp://lkml.org/lkml/2008/7/2/83
- VENDOR_ADVISORYhttp://secunia.com/advisories/32190
- MISChttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6551
- VENDOR_ADVISORYhttp://www.debian.org/security/2008/dsa-1636
- VENDOR_ADVISORYhttp://secunia.com/advisories/31614
- VENDOR_ADVISORYhttp://secunia.com/advisories/31881
- VENDOR_ADVISORYhttp://secunia.com/advisories/32104
- MISChttp://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=d70b67c8bc72ee23b55381bd6a884f4796692f77
- VENDOR_ADVISORYhttp://secunia.com/advisories/31551
- VENDOR_ADVISORYhttp://www.vupen.com/english/advisories/2008/2430
- MISChttp://www.redhat.com/support/errata/RHSA-2008-0857.html
- MISChttp://www.redhat.com/support/errata/RHSA-2009-0014.html
- MAILING_LISThttp://lists.opensuse.org/opensuse-security-announce/2008-10/msg00001.html
- MISChttp://www.securitytracker.com/id?1020739
- VENDOR_ADVISORYhttp://secunia.com/advisories/33280
- VENDOR_ADVISORYhttp://secunia.com/advisories/33556
- MISChttp://www.securityfocus.com/bid/30647
- VENDOR_ADVISORYhttp://secunia.com/advisories/32023
- MISChttps://bugzilla.redhat.com/show_bug.cgi?id=457858
- VENDOR_ADVISORYhttp://www.mandriva.com/security/advisories?name=MDVSA-2008:220
- VENDOR_ADVISORYhttp://secunia.com/advisories/32344
- MISChttps://exchange.xforce.ibmcloud.com/vulnerabilities/44410
- MISChttp://www.redhat.com/support/errata/RHSA-2008-0973.html
- VENDOR_ADVISORYhttp://secunia.com/advisories/31836
- MISChttp://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.25.15
- MISChttp://www.redhat.com/support/errata/RHSA-2008-0787.html
- MAILING_LISThttp://lists.opensuse.org/opensuse-security-announce/2008-10/msg00003.html
- VENDOR_ADVISORYhttp://secunia.com/advisories/33201
- MISChttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10744