Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 19 Jan 2016 06:58:38 -0500 (EST)
From: Wade Mealing <wmealing@...hat.com>
To: OSS Security List <oss-security@...ts.openwall.com>
Subject: Linux kernel: use after free in keyring facility.

Gday,

It was reported that possible use-after-free vulnerability in keyring facility, possibly leading to local privilege escalation was found. The function join_session_keyring in security/keys/process_keys.c holds a reference to the requested keyring, but if that keyring is the same as the one being currently used by the process, the kernel wouldn't decrease keyring->usage before returning to userspace. The usage field can be overflowed causing use-after-free on the keyring object.

This was introduced in commit 3a50597de8635cd05133bd12c95681c82fe7b878.

Perception point reported this vulnerability to Red Hat and it has been assigned CVE-2016_0728.  

Red Hat Bugzilla flaw:
 https://bugzilla.redhat.com/show_bug.cgi?id=1297475

Investigation:
 http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/

Patches will be available shortly with the upstream fix and are also explained in the investigation link above.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ