Bug 1250047 - (CVE-2015-5706) CVE-2015-5706 kernel: Use-after-free in path lookup
CVE-2015-5706 kernel: Use-after-free in path lookup
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1250048
Blocks: 1250052
  Show dependency treegraph
Reported: 2015-08-04 08:16 EDT by Adam Mariš
Modified: 2016-02-12 18:20 EST (History)
38 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A use-after-free flaw was found in the Linux kernels function path_openat() in which incorrectly clears up twice (as part of path_lookupat() called by do_tmpfile()). Clearing twice can lead to a double fput(). A local, unauthenticated user could exploit this flaw to possibly cause a denial of service.
Story Points: ---
Clone Of:
Last Closed: 2016-02-12 09:14:10 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2015-08-04 08:16:22 EDT
A flaw was found in the Linux kernels function path_openat() in which would incorrectly clear up twice (as part of path_lookupat() called by
do_tmpfile(). Doing so again can lead to double fput().  This can lead to a use-after free condition.

CVE assignment:

Introduced in this commit:

Upstream patch:

OSS-SEC request:
Comment 1 Adam Mariš 2015-08-04 08:17:07 EDT
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1250048]
Comment 2 Adam Mariš 2015-08-18 05:56:13 EDT
According to this, this bug affects only 3.19 and 4.0 kernel versions:
Comment 3 Wade Mealing 2016-02-04 03:32:09 EST

This issue does not affect any shipping versions of Red Hat Enterprise Linux kernels. The patch causing the incorrect "double put" condition is not applied to any shipping kernel.
Comment 5 Wade Mealing 2016-02-12 00:56:27 EST
Updated, now this should be a little clearer.

Note You need to log in before you can comment on or make changes to this bug.