Date: Thu, 2 Nov 2017 13:09:21 +1000 From: Wade Mealing <wmealing@...hat.com> To: oss-security@...ts.openwall.com Subject: CVE-2017-12193 Linux kernel: Null pointer dereference due to incorrect node-splitting in assoc_array implementation Gday, A flaw was reported to Red Hat by Wu Fan regarding a kernel panic/oops based on a flaw in the assoc_array implementation used heavily by the keyring subsystem. The flaw description explains it better than I will: --- Fix a case in the assoc_array implementation in which a new leaf is added that needs to go into a node that happens to be full, where the existing leaves in that node cluster together at that level to the exclusion of new leaf. What needs to happen is that the existing leaves get moved out to a new node, N1, at level + 1 and the existing node needs replacing with one, N0, that has pointers to the new leaf and to N1. The code that tries to do this gets this wrong in two ways: (1) The pointer that should've pointed from N0 to N1 is set to point recursively to N0 instead. (2) The backpointer from N0 needs to be set correctly in the case N0 is either the root node or reached through a shortcut. Fix this by removing this path and using the split_node path instead, which achieves the same end, but in a more general way (thanks to Eric Biggers for spotting the redundancy). --- Thanks to: Fan Wu, Haoran Qiu, and Shixiong Zhao supervised by Dr. Heming Cui from the department of Computer Science, University of Hong Kong" for reporting this issue. Upstream patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ea6789980fdaa610d7eb63602c746bf6ec70cd2b -- Best regards, Wade Mealing| Red Hat, Inc. | Product Security Engineer
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.