Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 21 Sep 2015 17:50:17 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Cc: sfjro@...rs.sourceforge.net
Subject: Re: CVE request: Use-after-free in Linux kernel with
 aufs mmap patch

Hi

On Thu, Sep 10, 2015 at 08:26:30PM +0100, Ben Hutchings wrote:
> The aufs (Advanced Union Filesystem) project provides an optional patch
> for the Linux kernel, called either aufs3-mmap.patch or
> aufs4-mmap.patch, which is needed to ensure correct behaviour of
> memory-mapped files from an aufs mount.
> 
> Each memory mapping (vma) holds a reference to the file that is mapped.
> This patch makes it also hold a reference to the virtual file on the
> union mount through which the file was found, where applicable.
> 
> In two functions, madvise_remove() and sys_msync(), it is necessary to
> take an extra reference to the mapped file before unlocking the current
> memory management state, as the vma may be freed after that point.
> Unfortunately the aufs patch introduces later uses of the vma, resulting
> in a potential use-after-free.  This is certainly exploitable for a
> minor denial of service (BUG in process context, so the task can't be
> cleaned up properly but the system does not panic) but might also be
> usable for privilege escalation.
> 
> I posted a patch here that works for me:
> http://sourceforge.net/p/aufs/mailman/message/34449209/
> 
> Please assign a CVE ID to this.

Adding MITRE's CVE assignment team to CC.

Can you assign a CVE for this issue?
http://www.openwall.com/lists/oss-security/2015/09/18/10 confirms that
Ben Hutchins' patch fixes the issue.

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ