oss-sec mailing list archives

CVE Requests: Linux: BPF flaws (one use-after-free / local root privilege escalation)

From: Salvatore Bonaccorso <carnil () debian org>
Date: Fri, 6 May 2016 15:14:55 +0200

A use-after-free flaw via double-fdput in bpf was recently fixed in
Linux. Details:

https://bugs.chromium.org/p/project-zero/issues/detail?id=808

Fixed via:
https://git.kernel.org/linus/8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7

And as well reported/forwarded in Debian:
https://bugs.debian.org/823603

Could you please assign a CVE for this issue?

The following two might as well warrant a CVE (Ben Hutchings CC'ed has
already applied those to the packaging repository in Debian):

bpf: fix refcnt overflow:
https://git.kernel.org/linus/92117d8443bc5afacc8d5ba82e541946310f106e

bpf: fix check_map_func_compatibility logic
https://git.kernel.org/linus/6aff67c85c9e5a4bc99e5211c1bac547936626ca

Not sure though if the later one has a security impact. The bug
allowed generic map functions to be applied to special map types
(program, perf events) that did not support them properly.

Regards,
Salvatore

Current thread:

CVE Requests: Linux: BPF flaws (one use-after-free / local root privilege escalation) Salvatore Bonaccorso (May 06)
- Re: CVE Requests: Linux: BPF flaws (one use-after-free / local root privilege escalation) cve-assign (May 06)
  - Re: Re: CVE Requests: Linux: BPF flaws (one use-after-free / local root privilege escalation) Jann Horn (May 09)