oss-sec mailing list archives
Re: CVE request - Linux kernel - Unix sockets use after free - peer_wait_queue prematurely freed
From: cve-assign () mitre org
Date: Wed, 18 Nov 2015 07:40:58 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
https://forums.grsecurity.net/viewtopic.php?f=3&t=4150
https://lkml.org/lkml/2014/5/15/532 eventpoll __list_del_entry corruption
https://lkml.org/lkml/2013/10/14/424 Re: epoll oops.
http://www.spinics.net/lists/netdev/msg318826.html [PATCH net] af_unix: don't poll dead peers
https://lkml.org/lkml/2015/9/13/195 List corruption on epoll_ctl(EPOLL_CTL_DEL) AF_UNIX socket
https://groups.google.com/forum/#!topic/syzkaller/3twDUI4Cpm8 Use-after-free in ep_remove_wait_queue
https://bugzilla.redhat.com/show_bug.cgi?id=1282688 Unix sockets use after free - peer_wait_queue prematurely freed A flaw was found in the Linux kernel's implementation of Unix sockets(AF_UNIX). A server polling for data coming from a client socket may put the peer socket on a wait list. This peer may close the connection making the reference on the wait list no longer valid. A determined attacker could poison this memory and lead to bypassing permissions on a the socket, and packets being injected into the stream. This may also panic the machine.
Use CVE-2013-7446. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWTHAWAAoJEL54rhJi8gl5RAQQAKe8eoD2rfjGta3FfDkU9RUU 62Qx2Cdvggp2Z921D9KYzOnBBzEC0D5FkZDLBPEbrZQxrhIW4i6qdsEkJG5JvED6 cipsXz9VoIJtDhmfl2t16OmveEOk2Cu6U1qlJ3dnbXxLl3bH/Q/iP0fm18nSGR/Z 3NexudadJUobLvxtjbaama+s3J5OYa2TuXrAhBut9+gkACHvJW7Rt+25jTu8ziCD ndJ+0UD9HOiJ/eJsXSyJ7MNvcVYdJdj8YkbWdEJPODpLyTEDGZ5eKIPbhwrImP/Q 7rXKqQXUe5mEiklwxKOCHdTjRbFRVajHpqMWj0nobXM+mCFNxzsIfzLQoeFSQv+I hSNGj0R6Hi6NtIioKq4m3P3M9Vl7ZReZx+RquQvKXF3AAm5BkhnOrPkQZtvrEXV6 x5jDRxixLkQsvskwNevTfuwBQxEkZSl0kbvKTkDLudpvFZFDqv8aa8Qi2tOMH4ZP Sh7y6v+TvNhaDs/VMb5LQRG2teI2b87lqaygSyBjQJA3F2o+zJWxSd1iR5hH/RR9 XVX0IdMX+4kxO2XDMBava9xmllF+K4ipEYiJKFWkng1zQVNKzoShu8h1CRQXVZ/6 Hw+LUrzN8eyf7O3uB3VyMOWqRBjXBNygoVjSKU8KMcCJc7xW3M0uYIuZRybrWmPA zwOIRg/G/qOu1IOqKBzk =lWXE -----END PGP SIGNATURE-----
Current thread:
- CVE request - Linux kernel - Unix sockets use after free - peer_wait_queue prematurely freed Wade Mealing (Nov 17)
- Re: CVE request - Linux kernel - Unix sockets use after free - peer_wait_queue prematurely freed Mathias Krause (Nov 18)
- Re: CVE request - Linux kernel - Unix sockets use after free - peer_wait_queue prematurely freed cve-assign (Nov 18)