Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 01 Aug 2015 17:37:42 +0100
From: Ben Hutchings <ben@...adent.org.uk>
To: oss-security <oss-security@...ts.openwall.com>
Cc: security@...ian.org, Brad Spengler <spender@...ecurity.net>
Subject: CVE request: Use-after-free in path lookup in Linux 3.11-4.0
 inclusive

Bug was introduced in Linux 3.11-rc1 by:

commit 60545d0d4610b02e55f65d141c95b18ccf855b6e
Author: Al Viro <viro@...iv.linux.org.uk>
Date:   Fri Jun 7 01:20:27 2013 -0400

    [O_TMPFILE] it's still short a few helpers, but infrastructure should be OK now...
    
    Signed-off-by: Al Viro <viro@...iv.linux.org.uk>

Fixed in 4.1-rc3 by:

commit f15133df088ecadd141ea1907f2c96df67c729f0
Author: Al Viro <viro@...iv.linux.org.uk>
Date:   Fri May 8 22:53:15 2015 -0400

    path_openat(): fix double fput()
    
    path_openat() jumps to the wrong place after do_tmpfile() - it has
    already done path_cleanup() (as part of path_lookupat() called by
    do_tmpfile()), so doing that again can lead to double fput().
    
    Cc: stable@...r.kernel.org  # v3.11+
    Signed-off-by: Al Viro <viro@...iv.linux.org.uk>

Thanks to Brad Spengler for pointing this out:<
https://twitter.com/grsecurity/status/597127122910490624>

The fix was also included in the following stable releases:

v3.13.11-ckt22: d8ef4f4c5465 path_openat(): fix double fput()
v3.16.7-ckt12: bedf03d0b88d path_openat(): fix double fput()
v3.18.15: f42b455331b5 path_openat(): fix double fput()
v3.19.8-ckt1: cf32bb6d9d18 path_openat(): fix double fput()
v4.0.4: 335d3678d60d path_openat(): fix double fput()

Ben.

-- 
Ben Hutchings
One of the nice things about standards is that there are so many of them.

Download attachment "signature.asc" of type "application/pgp-signature" (812 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.