Date: Tue, 27 Oct 2015 09:37:12 +0100 From: Quentin Casasnovas <quentin.casasnovas@...cle.com> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: Re: CVE-2015-6937 - Linux kernel - NULL pointer dereference in net/rds/connection.c On Mon, Sep 14, 2015 at 03:34:59PM -0400, cve-assign@...re.org wrote: > CVE-2015-6937 has been assigned to this issue that is exploitable "on > sockets that weren't properly bound before attempting to send a > message": > > https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=74e98eb085889b0d2d4908f59f6e00026063014f > The above fix is incomplete and still allows to trigger a NULL pointer dereference when sending a message. The root cause of this problem is a race condition when checking that the socket is bound in rds_sendmsg(), more information and a complete fix can be found here: https://lkml.org/lkml/2015/10/16/530 It should hit Linus' tree soon but since distributions already started shipping the incomplete fix, I thought it would be wise to mention this here. Quentin
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.