CVE request: Use-after-free in path lookup in Linux 3.11-4.0 inclusive

[Ben Hutchings <ben () decadent org uk>]

Bug was introduced in Linux 3.11-rc1 by:

commit 60545d0d4610b02e55f65d141c95b18ccf855b6e
Author: Al Viro <viro () zeniv linux org uk>
Date:   Fri Jun 7 01:20:27 2013 -0400

    [O_TMPFILE] it's still short a few helpers, but infrastructure should be OK now...
    
    Signed-off-by: Al Viro <viro () zeniv linux org uk>

Fixed in 4.1-rc3 by:

commit f15133df088ecadd141ea1907f2c96df67c729f0
Author: Al Viro <viro () zeniv linux org uk>
Date:   Fri May 8 22:53:15 2015 -0400

    path_openat(): fix double fput()
    
    path_openat() jumps to the wrong place after do_tmpfile() - it has
    already done path_cleanup() (as part of path_lookupat() called by
    do_tmpfile()), so doing that again can lead to double fput().
    
    Cc: stable () vger kernel org  # v3.11+
    Signed-off-by: Al Viro <viro () zeniv linux org uk>

Thanks to Brad Spengler for pointing this out:<
https://twitter.com/grsecurity/status/597127122910490624>

The fix was also included in the following stable releases:

v3.13.11-ckt22: d8ef4f4c5465 path_openat(): fix double fput()
v3.16.7-ckt12: bedf03d0b88d path_openat(): fix double fput()
v3.18.15: f42b455331b5 path_openat(): fix double fput()
v3.19.8-ckt1: cf32bb6d9d18 path_openat(): fix double fput()
v4.0.4: 335d3678d60d path_openat(): fix double fput()

Ben.

-- 
Ben Hutchings
One of the nice things about standards is that there are so many of them.

Attachment: signature.asc
Description: This is a digitally signed message part