Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 21 Sep 2015 17:50:17 +0200
From: Salvatore Bonaccorso <>
Subject: Re: CVE request: Use-after-free in Linux kernel with
 aufs mmap patch


On Thu, Sep 10, 2015 at 08:26:30PM +0100, Ben Hutchings wrote:
> The aufs (Advanced Union Filesystem) project provides an optional patch
> for the Linux kernel, called either aufs3-mmap.patch or
> aufs4-mmap.patch, which is needed to ensure correct behaviour of
> memory-mapped files from an aufs mount.
> Each memory mapping (vma) holds a reference to the file that is mapped.
> This patch makes it also hold a reference to the virtual file on the
> union mount through which the file was found, where applicable.
> In two functions, madvise_remove() and sys_msync(), it is necessary to
> take an extra reference to the mapped file before unlocking the current
> memory management state, as the vma may be freed after that point.
> Unfortunately the aufs patch introduces later uses of the vma, resulting
> in a potential use-after-free.  This is certainly exploitable for a
> minor denial of service (BUG in process context, so the task can't be
> cleaned up properly but the system does not panic) but might also be
> usable for privilege escalation.
> I posted a patch here that works for me:
> Please assign a CVE ID to this.

Adding MITRE's CVE assignment team to CC.

Can you assign a CVE for this issue? confirms that
Ben Hutchins' patch fixes the issue.


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ