oss-sec mailing list archives
CVE-2017-15129: Linux kernel: net: double-free and memory corruption in get_net_ns_by_id()
From: Vladis Dronov <vdronov () redhat com>
Date: Fri, 5 Jan 2018 07:52:32 -0500 (EST)
Heololo, A use-after-free vulnerability was found in a network namespaces code affecting the Linux kernel since v4.0-rc1 through v4.15-rc5. The function get_net_ns_by_id() does not check for the net::count value after it has found a peer network in netns_ids idr which could lead to double free and memory corruption. This vulnerability could allow an unprivileged local user to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. References: https://marc.info/?l=linux-netdev&m=151370451121029&w=2 https://marc.info/?t=151370468900001&r=1&w=2 (a whole thread) https://bugzilla.redhat.com/show_bug.cgi?id=1531174 An upstream patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=21b5944350052d2583e82dd59b19a9ba94a007f0 Best regards, Vladis Dronov | Red Hat, Inc. | Product Security Engineer
Current thread:
- CVE-2017-15129: Linux kernel: net: double-free and memory corruption in get_net_ns_by_id() Vladis Dronov (Jan 05)