Bug 1250047 (CVE-2015-5706)

Summary: CVE-2015-5706 kernel: Use-after-free in path lookup
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agordeev, aquini, arm-mgr, bhu, blc, dhoward, esammons, fhrbata, gansalmon, iboverma, itamar, jforbes, jkacur, joelsmith, jonathan, jross, jrusnack, jwboyer, kernel-maint, kernel-mgr, lgoncalv, lwang, madhu.chinakonda, matt, mchehab, mcressma, mguzik, mlangsdo, nmurray, pholasek, plougher, rt-maint, rvrbovsk, slong, vdronov, vgoyal, williams, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A use-after-free flaw was found in the Linux kernels function path_openat() in which incorrectly clears up twice (as part of path_lookupat() called by do_tmpfile()). Clearing twice can lead to a double fput(). A local, unauthenticated user could exploit this flaw to possibly cause a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-12 14:14:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1250048    
Bug Blocks: 1250052    

Description Adam Mariš 2015-08-04 12:16:22 UTC 
A flaw was found in the Linux kernels function path_openat() in which would incorrectly clear up twice (as part of path_lookupat() called by
do_tmpfile(). Doing so again can lead to double fput().  This can lead to a use-after free condition.

CVE assignment:
http://seclists.org/oss-sec/2015/q3/270

Introduced in this commit:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bb458c644a59dbba3a1fe59b27106c5e68e1c4bd

Upstream patch:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f15133df088ecadd141ea1907f2c96df67c729f0

OSS-SEC request:
http://seclists.org/oss-sec/2015/q3/371
Comment 1 Adam Mariš 2015-08-04 12:17:07 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1250048]
Comment 2 Adam Mariš 2015-08-18 09:56:13 UTC 
According to this, this bug affects only 3.19 and 4.0 kernel versions:
http://seclists.org/oss-sec/2015/q3/371
https://bugzilla.suse.com/show_bug.cgi?id=940339
Comment 3 Wade Mealing 2016-02-04 08:32:09 UTC 
Statement: 

This issue does not affect any shipping versions of Red Hat Enterprise Linux kernels. The patch causing the incorrect "double put" condition is not applied to any shipping kernel.
Comment 5 Wade Mealing 2016-02-12 05:56:27 UTC 
Updated, now this should be a little clearer.