kernel: tmpfs use-after-free

["Jason A. Donenfeld" <Jason () zx2c4 com>]

Hey all,

While everyone's going wild hndl->dump'ing with CVE-2013-1763, there's
apparently been another silent security fix with
5f00110f7273f9ff04ac69a5f85bb535a4fd0987 [1]:

> tmpfs: fix use-after-free of mempolicy object
>
> The tmpfs remount logic preserves filesystem mempolicy if the mpol=M
> option is not specified in the remount request.  A new policy can be
> specified if mpol=M is given.
>
> Before this patch remounting an mpol bound tmpfs without specifying
> mpol= mount option in the remount request would set the filesystem's
> mempolicy object to a freed mempolicy object.
>
> How far back does this issue go? I see it in both 2.6.36 and 3.3.  I did
> not look back further.


The commit message goes on with details on how to trigger it. Note
that as of 5eaf563e53294d6696e651466697eb9d491f3946 [2], you can now
mount filesystems as an unprivileged user after a call to
unshare(CLONE_NEWUSER | CLONE_NEWNS), or a similar clone(2) call. This
means all those random random filesystem bugs you have laying around
in the junk bin are now quite useful. ++tricks;

Cheers,
Jason


[1] http://git.zx2c4.com/linux/commit/?id=5f00110f7273f9ff04ac69a5f85bb535a4fd0987
[2] http://git.zx2c4.com/linux/commit/?id=5eaf563e53294d6696e651466697eb9d491f3946

--
Jason A. Donenfeld
www.zx2c4.com