oss-sec mailing list archives
CVE-2016-4470: Linux kernel Uninitialized variable in request_key handling user controlled kfree().
From: Wade Mealing <wmealing () redhat com>
Date: Wed, 15 Jun 2016 16:29:50 +1000
Gday, A flaw was found in the Linux kernels keyring handling code, where in key_reject_and_link() there's an uninitialised variable that isn't set by __key_link_begin() on the destination keyring if that function fails. If a destination keyring was supplied, then __key_link_end() is called whether or not __key_link_begin() succeeded, with the result that the edit pointers contains members which end up being freed. These are the user controlled addresses that can exist from previous memory contents. Thanks, Wade Mealing Product Security Team Resources: https://bugzilla.redhat.com/show_bug.cgi?id=1341716 Patch: https://www.spinics.net/lists/linux-kernel-janitors/msg26069.html
Current thread:
- CVE-2016-4470: Linux kernel Uninitialized variable in request_key handling user controlled kfree(). Wade Mealing (Jun 14)