CVE-2014-0100 -- Linux kernel: net: inet frag code race condition leading to user-after-free

[Petr Matousek <pmatouse () redhat com>]

A very subtle race condition between inet_frag_evictor,
inet_frag_intern and the IPv4/6 frag_queue and expire functions
(basically the users of inet_frag_kill/inet_frag_put) was found.

What happens is that after a fragment has been added to the hash chain
but before it's been added to the lru_list (inet_frag_lru_add), it may
get deleted (either by an expired timer if the system load is high or
the timer sufficiently low, or by the fraq_queue function for different
reasons) before it's added to the lru_list, then after it gets added
it's a matter of time for the evictor to get to a piece of memory which
has been freed leading to a number of different bugs depending on what's
left there.

Introduced by:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=3ef0eb0d

Upstream patch submission:
http://patchwork.ozlabs.org/patch/325844/

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1070618

-- 
Petr Matousek / Red Hat Security Response Team
PGP: 0xC44977CA 8107 AF16 A416 F9AF 18F3  D874 3E78 6F42 C449 77CA