Bug 1250047 - (CVE-2015-5706) CVE-2015-5706 kernel: Use-after-free in path lookup
CVE-2015-5706 kernel: Use-after-free in path lookup
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20150509,repor...
: Security
Depends On: 1250048
Blocks: 1250052
  Show dependency treegraph
 
Reported: 2015-08-04 08:16 EDT by Adam Mariš
Modified: 2016-02-12 18:20 EST (History)
38 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A use-after-free flaw was found in the Linux kernels function path_openat() in which incorrectly clears up twice (as part of path_lookupat() called by do_tmpfile()). Clearing twice can lead to a double fput(). A local, unauthenticated user could exploit this flaw to possibly cause a denial of service.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-02-12 09:14:10 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2015-08-04 08:16:22 EDT
A flaw was found in the Linux kernels function path_openat() in which would incorrectly clear up twice (as part of path_lookupat() called by
do_tmpfile(). Doing so again can lead to double fput().  This can lead to a use-after free condition.

CVE assignment:
http://seclists.org/oss-sec/2015/q3/270

Introduced in this commit:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bb458c644a59dbba3a1fe59b27106c5e68e1c4bd

Upstream patch:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f15133df088ecadd141ea1907f2c96df67c729f0

OSS-SEC request:
http://seclists.org/oss-sec/2015/q3/371
Comment 1 Adam Mariš 2015-08-04 08:17:07 EDT
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1250048]
Comment 2 Adam Mariš 2015-08-18 05:56:13 EDT
According to this, this bug affects only 3.19 and 4.0 kernel versions:
http://seclists.org/oss-sec/2015/q3/371
https://bugzilla.suse.com/show_bug.cgi?id=940339
Comment 3 Wade Mealing 2016-02-04 03:32:09 EST
Statement: 

This issue does not affect any shipping versions of Red Hat Enterprise Linux kernels. The patch causing the incorrect "double put" condition is not applied to any shipping kernel.
Comment 5 Wade Mealing 2016-02-12 00:56:27 EST
Updated, now this should be a little clearer.

Note You need to log in before you can comment on or make changes to this bug.