Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 29 Jan 2020 00:50:22 +0100
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: Al Viro <viro@...iv.linux.org.uk>,
	Salvatore Mesoraca <s.mesoraca16@...il.com>,
	Kees Cook <keescook@...omium.org>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	Dan Carpenter <dan.carpenter@...cle.com>,
	Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: Linux kernel: user-triggerable read-after-free crash or 1-bit infoleak oracle in open(2)

On Tue, Jan 28, 2020 at 10:48:10PM +0100, Solar Designer wrote:
> I intend to request a CVE ID and post it as a follow-up to this thread.

"Use CVE-2020-8428."

> Al Viro found and analyzed the security impact of and fixed a bug in
> Linux 4.19+ where open(2)'s eventual call to may_create_in_sticky() was
> "done when we already have dropped the reference to dir" and thus with
> dir (a "struct dentry" pointer) being potentially stale and potentially
> pointing to reused memory.

> The bug was introduced with commit 30aba6656f61 and first included in
> Linux 4.19.  Al fixed it with commit d0cb50185ae9 two days ago, and the
> fix is already in Linux 5.5 and Greg KH is getting it into stable.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.