1250047 – (CVE-2015-5706) CVE-2015-5706 kernel: Use-after-free in path lookup

Bug 1250047 (CVE-2015-5706) - CVE-2015-5706 kernel: Use-after-free in path lookup

Summary: CVE-2015-5706 kernel: Use-after-free in path lookup

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2015-5706
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1250048
Blocks:	1250052
TreeView+	depends on / blocked

Reported:	2015-08-04 12:16 UTC by Adam Mariš
Modified:	2021-02-17 05:03 UTC (History)
CC List:	38 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	A use-after-free flaw was found in the Linux kernels function path_openat() in which incorrectly clears up twice (as part of path_lookupat() called by do_tmpfile()). Clearing twice can lead to a double fput(). A local, unauthenticated user could exploit this flaw to possibly cause a denial of service.
Clone Of:
Environment:
Last Closed:	2016-02-12 14:14:10 UTC
Embargoed:

Attachments	(Terms of Use)

Description Adam Mariš 2015-08-04 12:16:22 UTC

A flaw was found in the Linux kernels function path_openat() in which would incorrectly clear up twice (as part of path_lookupat() called by
do_tmpfile(). Doing so again can lead to double fput().  This can lead to a use-after free condition.

CVE assignment:
http://seclists.org/oss-sec/2015/q3/270

Introduced in this commit:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bb458c644a59dbba3a1fe59b27106c5e68e1c4bd

Upstream patch:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f15133df088ecadd141ea1907f2c96df67c729f0

OSS-SEC request:
http://seclists.org/oss-sec/2015/q3/371

Comment 1 Adam Mariš 2015-08-04 12:17:07 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1250048]

Comment 2 Adam Mariš 2015-08-18 09:56:13 UTC

According to this, this bug affects only 3.19 and 4.0 kernel versions:
http://seclists.org/oss-sec/2015/q3/371
https://bugzilla.suse.com/show_bug.cgi?id=940339

Comment 3 Wade Mealing 2016-02-04 08:32:09 UTC

Statement: 

This issue does not affect any shipping versions of Red Hat Enterprise Linux kernels. The patch causing the incorrect "double put" condition is not applied to any shipping kernel.

Comment 5 Wade Mealing 2016-02-12 05:56:27 UTC

Updated, now this should be a little clearer.

Note You need to log in before you can comment on or make changes to this bug.

agordeev
aquini
arm-mgr
bhu
blc
dhoward
esammons
fhrbata
gansalmon
iboverma
itamar
jforbes
jkacur
joelsmith
jonathan
jross
jrusnack
jwboyer
kernel-maint
kernel-mgr
lgoncalv
lwang
madhu.chinakonda
matt
mchehab
mcressma
mguzik
mlangsdo
nmurray
pholasek
plougher
rt-maint
rvrbovsk
slong
vdronov
vgoyal
williams
wmealing