Date: Mon, 25 Feb 2013 20:50:12 +0100 From: "Jason A. Donenfeld" <Jason@...c4.com> To: oss-security <oss-security@...ts.openwall.com> Subject: kernel: tmpfs use-after-free Hey all, While everyone's going wild hndl->dump'ing with CVE-2013-1763, there's apparently been another silent security fix with 5f00110f7273f9ff04ac69a5f85bb535a4fd0987 : > tmpfs: fix use-after-free of mempolicy object > > The tmpfs remount logic preserves filesystem mempolicy if the mpol=M > option is not specified in the remount request. A new policy can be > specified if mpol=M is given. > > Before this patch remounting an mpol bound tmpfs without specifying > mpol= mount option in the remount request would set the filesystem's > mempolicy object to a freed mempolicy object. > > How far back does this issue go? I see it in both 2.6.36 and 3.3. I did > not look back further. The commit message goes on with details on how to trigger it. Note that as of 5eaf563e53294d6696e651466697eb9d491f3946 , you can now mount filesystems as an unprivileged user after a call to unshare(CLONE_NEWUSER | CLONE_NEWNS), or a similar clone(2) call. This means all those random random filesystem bugs you have laying around in the junk bin are now quite useful. ++tricks; Cheers, Jason  http://git.zx2c4.com/linux/commit/?id=5f00110f7273f9ff04ac69a5f85bb535a4fd0987  http://git.zx2c4.com/linux/commit/?id=5eaf563e53294d6696e651466697eb9d491f3946 -- Jason A. Donenfeld www.zx2c4.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ