Date: Mon, 21 Sep 2015 17:50:17 +0200 From: Salvatore Bonaccorso <carnil@...ian.org> To: oss-security@...ts.openwall.com Cc: sfjro@...rs.sourceforge.net Subject: Re: CVE request: Use-after-free in Linux kernel with aufs mmap patch Hi On Thu, Sep 10, 2015 at 08:26:30PM +0100, Ben Hutchings wrote: > The aufs (Advanced Union Filesystem) project provides an optional patch > for the Linux kernel, called either aufs3-mmap.patch or > aufs4-mmap.patch, which is needed to ensure correct behaviour of > memory-mapped files from an aufs mount. > > Each memory mapping (vma) holds a reference to the file that is mapped. > This patch makes it also hold a reference to the virtual file on the > union mount through which the file was found, where applicable. > > In two functions, madvise_remove() and sys_msync(), it is necessary to > take an extra reference to the mapped file before unlocking the current > memory management state, as the vma may be freed after that point. > Unfortunately the aufs patch introduces later uses of the vma, resulting > in a potential use-after-free. This is certainly exploitable for a > minor denial of service (BUG in process context, so the task can't be > cleaned up properly but the system does not panic) but might also be > usable for privilege escalation. > > I posted a patch here that works for me: > http://sourceforge.net/p/aufs/mailman/message/34449209/ > > Please assign a CVE ID to this. Adding MITRE's CVE assignment team to CC. Can you assign a CVE for this issue? http://www.openwall.com/lists/oss-security/2015/09/18/10 confirms that Ben Hutchins' patch fixes the issue. Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ