oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Linux tcp_xmit_retransmit_queue use after free on 4.8-rc1 / master

From: cve-assign () mitre org
Date: Wed, 17 Aug 2016 23:36:57 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


this program will cause a use after free of read 4 in
tcp_xmit_retransmit_queue or other tcp_ functions, often in another totally
unrelated process.



tested on master available at the
time of writing and on 4.8 rc1



[   21.446876] BUG: KASAN: use-after-free in
tcp_xmit_retransmit_queue+0xc75/0xdb0 at addr ffff88007a06d428
[   21.447953] Read of size 4 by task rsyslogd/1612

...

ip6_dst_check+0x262/0x410



syscall(SYS_socket, 0xaul, 0x1ul, 0x0ul, 0, 0, 0);


Use CVE-2016-6828.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXtSOaAAoJEHb/MwWLVhi2eVYP/17p3S7V79KaB1JBE+6KR5Kg
OFGawnxE05zFw+/YmhzmeiQY+YDEvEyNVvIcMhEmSksFkQofVodzJGKZ78f0K8Tz
GrhHn+s/uc4KJTxacJAIFYG8ZbEw24A3fnN8wU+nBkjzwOiwiz4wsP54MC43PLQz
azZC2d47rXfHwr9whoUFik5vi2HvU8AesDbRIFOK1g1U35Z0J7PybcZjh5NE5loP
/8zGlYR602bCq7PfAvoYW34Ui0kHRqDu0PaRiLlLVVrAVwDOd20ZZPfqcF9DOW85
aF2vwlttTyL+Ogy1StraNtq06XWICOMULR4l9Y5Q30438icDEiH6yW/aOccctG3j
CKC0QOfNtvPI4HtVjPUgx92icRHsxh+/VBED4WxnF3iHBzLMRT9EBxTHAS3MV4oM
mZmSRQsMiP0cgcmi7KEeej5RWh9YvmSCfgrBTxXDnLr3vXbDJpDTA5jzXXXXpxAY
tluapbNlEffKrW6aspd6FnqSze9N7zQA6LxWmmpL9bUAFNp3EcLNFLis+e9RLPYy
5Kz/+x1sB1IDldHANp8QsAGk+GvWGGSauOuFyKKP3s84Y0Da3shCw/LuEweo0qFP
uapf8CH6uD8ZR3P/9AfiftpX+q0YNITdfsp6XbKtVRgW3fgg44UyRHP5zGUwkJWT
b0SEiC2X+uIfP1/0CTqd
=dKqq
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: