oss-sec mailing list archives

Re: Linux kernel: user-triggerable read-after-free crash or 1-bit infoleak oracle in open(2)

From: Solar Designer <solar () openwall com>
Date: Wed, 29 Jan 2020 00:50:22 +0100

On Tue, Jan 28, 2020 at 10:48:10PM +0100, Solar Designer wrote:

I intend to request a CVE ID and post it as a follow-up to this thread.


"Use CVE-2020-8428."

Al Viro found and analyzed the security impact of and fixed a bug in
Linux 4.19+ where open(2)'s eventual call to may_create_in_sticky() was
"done when we already have dropped the reference to dir" and thus with
dir (a "struct dentry" pointer) being potentially stale and potentially
pointing to reused memory.

The bug was introduced with commit 30aba6656f61 and first included in
Linux 4.19.  Al fixed it with commit d0cb50185ae9 two days ago, and the
fix is already in Linux 5.5 and Greg KH is getting it into stable.


Alexander

Current thread:

Linux kernel: user-triggerable read-after-free crash or 1-bit infoleak oracle in open(2) Solar Designer (Jan 28)
- Re: Linux kernel: user-triggerable read-after-free crash or 1-bit infoleak oracle in open(2) Solar Designer (Jan 28)
  - Re: Linux kernel: user-triggerable read-after-free crash or 1-bit infoleak oracle in open(2) Solar Designer (Feb 02)
    - Re: Linux kernel: user-triggerable read-after-free crash or 1-bit infoleak oracle in open(2) Al Viro (Feb 02)