oss-sec mailing list archives
CVE-2014-0100 -- Linux kernel: net: inet frag code race condition leading to user-after-free
From: Petr Matousek <pmatouse () redhat com>
Date: Tue, 4 Mar 2014 11:58:48 +0100
A very subtle race condition between inet_frag_evictor, inet_frag_intern and the IPv4/6 frag_queue and expire functions (basically the users of inet_frag_kill/inet_frag_put) was found. What happens is that after a fragment has been added to the hash chain but before it's been added to the lru_list (inet_frag_lru_add), it may get deleted (either by an expired timer if the system load is high or the timer sufficiently low, or by the fraq_queue function for different reasons) before it's added to the lru_list, then after it gets added it's a matter of time for the evictor to get to a piece of memory which has been freed leading to a number of different bugs depending on what's left there. Introduced by: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=3ef0eb0d Upstream patch submission: http://patchwork.ozlabs.org/patch/325844/ References: https://bugzilla.redhat.com/show_bug.cgi?id=1070618 -- Petr Matousek / Red Hat Security Response Team PGP: 0xC44977CA 8107 AF16 A416 F9AF 18F3 D874 3E78 6F42 C449 77CA
Current thread:
- CVE-2014-0100 -- Linux kernel: net: inet frag code race condition leading to user-after-free Petr Matousek (Mar 04)