oss-sec mailing list archives
CVE request: Use-after-free in path lookup in Linux 3.11-4.0 inclusive
From: Ben Hutchings <ben () decadent org uk>
Date: Sat, 01 Aug 2015 17:37:42 +0100
Bug was introduced in Linux 3.11-rc1 by: commit 60545d0d4610b02e55f65d141c95b18ccf855b6e Author: Al Viro <viro () zeniv linux org uk> Date: Fri Jun 7 01:20:27 2013 -0400 [O_TMPFILE] it's still short a few helpers, but infrastructure should be OK now... Signed-off-by: Al Viro <viro () zeniv linux org uk> Fixed in 4.1-rc3 by: commit f15133df088ecadd141ea1907f2c96df67c729f0 Author: Al Viro <viro () zeniv linux org uk> Date: Fri May 8 22:53:15 2015 -0400 path_openat(): fix double fput() path_openat() jumps to the wrong place after do_tmpfile() - it has already done path_cleanup() (as part of path_lookupat() called by do_tmpfile()), so doing that again can lead to double fput(). Cc: stable () vger kernel org # v3.11+ Signed-off-by: Al Viro <viro () zeniv linux org uk> Thanks to Brad Spengler for pointing this out:< https://twitter.com/grsecurity/status/597127122910490624> The fix was also included in the following stable releases: v3.13.11-ckt22: d8ef4f4c5465 path_openat(): fix double fput() v3.16.7-ckt12: bedf03d0b88d path_openat(): fix double fput() v3.18.15: f42b455331b5 path_openat(): fix double fput() v3.19.8-ckt1: cf32bb6d9d18 path_openat(): fix double fput() v4.0.4: 335d3678d60d path_openat(): fix double fput() Ben. -- Ben Hutchings One of the nice things about standards is that there are so many of them.
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- CVE request: Use-after-free in path lookup in Linux 3.11-4.0 inclusive Ben Hutchings (Aug 01)