Re: CVE request: Use-after-free in Linux kernel with aufs mmap patch

[Salvatore Bonaccorso <carnil () debian org>]

Hi

On Thu, Sep 10, 2015 at 08:26:30PM +0100, Ben Hutchings wrote:
> The aufs (Advanced Union Filesystem) project provides an optional patch
> for the Linux kernel, called either aufs3-mmap.patch or
> aufs4-mmap.patch, which is needed to ensure correct behaviour of
> memory-mapped files from an aufs mount.
>
> Each memory mapping (vma) holds a reference to the file that is mapped.
> This patch makes it also hold a reference to the virtual file on the
> union mount through which the file was found, where applicable.
>
> In two functions, madvise_remove() and sys_msync(), it is necessary to
> take an extra reference to the mapped file before unlocking the current
> memory management state, as the vma may be freed after that point.
> Unfortunately the aufs patch introduces later uses of the vma, resulting
> in a potential use-after-free.  This is certainly exploitable for a
> minor denial of service (BUG in process context, so the task can't be
> cleaned up properly but the system does not panic) but might also be
> usable for privilege escalation.
>
> I posted a patch here that works for me:
> http://sourceforge.net/p/aufs/mailman/message/34449209/
>
> Please assign a CVE ID to this.

Adding MITRE's CVE assignment team to CC.

Can you assign a CVE for this issue?
http://www.openwall.com/lists/oss-security/2015/09/18/10 confirms that
Ben Hutchins' patch fixes the issue.

Regards,
Salvatore