Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 25 Feb 2013 20:50:12 +0100
From: "Jason A. Donenfeld" <>
To: oss-security <>
Subject: kernel: tmpfs use-after-free

Hey all,

While everyone's going wild hndl->dump'ing with CVE-2013-1763, there's
apparently been another silent security fix with
5f00110f7273f9ff04ac69a5f85bb535a4fd0987 [1]:

> tmpfs: fix use-after-free of mempolicy object
> The tmpfs remount logic preserves filesystem mempolicy if the mpol=M
> option is not specified in the remount request.  A new policy can be
> specified if mpol=M is given.
> Before this patch remounting an mpol bound tmpfs without specifying
> mpol= mount option in the remount request would set the filesystem's
> mempolicy object to a freed mempolicy object.
> How far back does this issue go? I see it in both 2.6.36 and 3.3.  I did
> not look back further.

The commit message goes on with details on how to trigger it. Note
that as of 5eaf563e53294d6696e651466697eb9d491f3946 [2], you can now
mount filesystems as an unprivileged user after a call to
unshare(CLONE_NEWUSER | CLONE_NEWNS), or a similar clone(2) call. This
means all those random random filesystem bugs you have laying around
in the junk bin are now quite useful. ++tricks;



Jason A. Donenfeld

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ