Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 25 Feb 2013 14:26:09 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Jason A. Donenfeld" <Jason@...c4.com>
Subject: Re: kernel: tmpfs use-after-free

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/25/2013 12:50 PM, Jason A. Donenfeld wrote:
> Hey all,
> 
> While everyone's going wild hndl->dump'ing with CVE-2013-1763,
> there's apparently been another silent security fix with 
> 5f00110f7273f9ff04ac69a5f85bb535a4fd0987 [1]:
> 
>> tmpfs: fix use-after-free of mempolicy object
>> 
>> The tmpfs remount logic preserves filesystem mempolicy if the
>> mpol=M option is not specified in the remount request.  A new
>> policy can be specified if mpol=M is given.
>> 
>> Before this patch remounting an mpol bound tmpfs without
>> specifying mpol= mount option in the remount request would set
>> the filesystem's mempolicy object to a freed mempolicy object.
>> 
>> How far back does this issue go? I see it in both 2.6.36 and 3.3.
>> I did not look back further.
> 
> 
> The commit message goes on with details on how to trigger it. Note 
> that as of 5eaf563e53294d6696e651466697eb9d491f3946 [2], you can
> now mount filesystems as an unprivileged user after a call to 
> unshare(CLONE_NEWUSER | CLONE_NEWNS), or a similar clone(2) call.
> This means all those random random filesystem bugs you have laying
> around in the junk bin are now quite useful. ++tricks;
> 
> Cheers, Jason
> 
> 
> [1]
> http://git.zx2c4.com/linux/commit/?id=5f00110f7273f9ff04ac69a5f85bb535a4fd0987
>
> 
[2]
http://git.zx2c4.com/linux/commit/?id=5eaf563e53294d6696e651466697eb9d491f3946
> 
> -- Jason A. Donenfeld www.zx2c4.com
> 

Please use CVE-2013-1767 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRK9bxAAoJEBYNRVNeJnmT+KAP/2kWFMI53p1OVhS3/kIAySJl
ScgB7KUoi7MbqG9yMlk2bN1/xsfea8fsZpGLRZKzHrzZ3b39EUKMSEH4hGqadlNm
gYS4qcsSHK9h1ZXqtIboC8EtrJ/FabRw0rgD++LhqkoUhaDgjiwgHPBM4bd4E7TM
Pq3Ch8aZawS4vB2CMHpXhFzpQv/r+S/PHl2ckfvrEOdhfLpEWyAF6e9FMJYI6H7+
UKOT8C39uFvHxtI2ktzdU+kvu8OdXq+xXYegcNld6oUQ3+8l1Nxscf49+SqqROM0
XaS272Rq4ABeMMTaPreRk+879vbUrDi2TbfbH863x5ZGQMMMHjTusSg/6/18kB4Q
y6ZghNCNj9gzx2EmmS8GIt+JBVtYuQNiGZRVRdFW9McFgYS5eE9hydaa6SR/q7EI
ZRteWVWfHsSt/ZFAL3EWbUQPNzEFg/M2z9q1Y2uDFYzWyzvIHYI+PWji45IO0bvw
tq+k/3AqjZrSKPlO4rb8D4Mf7TMGgu6IDLye+6aBGklvZthW1qBXqS29dxctbhi7
w48Q8kUXCX72ha3EfHmDvek1OX/HBiKX3SRFH6TlvnRuyVUkoRssA0KyIxAuKqE0
71DUh9FACoHgiIsxsDruFVOLOo2EA8ZRkOhyPa7nZ3DcnJBU923pQY/FodIn7RI6
dein18BQzW+5i0yxZLXB
=sB1j
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ