Bug 1273845

Summary: kernel: Use after free in ep_remove_wait_queue
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agordeev, aquini, bhu, carnil, dhoward, esammons, fhrbata, gansalmon, iboverma, itamar, jforbes, jkacur, joelsmith, jonathan, jross, jwboyer, kernel-maint, kernel-mgr, kstutsma, lgoncalv, lwang, madhu.chinakonda, matt, mchehab, mcressma, mguzik, mrg-program-list, nmurray, pholasek, plougher, rvrbovsk, slawomir, williams, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-18 04:34:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1273846    

Description Adam Mariš 2015-10-21 11:44:31 UTC 
A use-after-free vulnerability causing memory corruption was found in kernel.

Reproducer with report can be found here:

https://groups.google.com/forum/#!topic/syzkaller/3twDUI4Cpm8

Patch can be found here:

http://article.gmane.org/gmane.linux.kernel/2057498
Comment 1 Josh Boyer 2015-10-21 12:45:34 UTC 
The patches don't compile and there's still on-going discussion on the correct solution.  I believe we're waiting for Jason to send a v5 of the series.