oss-sec mailing list archives

CVE-2017-7487: Linux kernel: ipx: call ipxitf_put() in ioctl error path

From: Vladis Dronov <vdronov () redhat com>
Date: Fri, 12 May 2017 09:24:56 -0400 (EDT)

Hello,

A reference counter leak in Linux kernel in ipxitf_ioctl function was found
which results into use after free vulnerability that's triggerable from
unprivileged userspace when IPX interface is configured.

cvss3=5.6/CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H
cwe=CWE-416

References:

https://patchwork.ozlabs.org/patch/757549/

https://bugzilla.redhat.com/show_bug.cgi?id=1447734

Upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ee0d8d8482345ff97a75a7d747efc309f13b0d80

Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer

Current thread:

CVE-2017-7472 Linux kernel: KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings Vladis Dronov (May 11)
- CVE-2017-7487: Linux kernel: ipx: call ipxitf_put() in ioctl error path Vladis Dronov (May 12)