Bug 1334307 (CVE-2016-4557) - CVE-2016-4557 kernel: Use after free vulnerability via double fdput
Summary: CVE-2016-4557 kernel: Use after free vulnerability via double fdput
Status: CLOSED ERRATA
Alias: CVE-2016-4557
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20160426,repo...
Keywords: Security
Depends On: 1334311 1346578
Blocks: 1334304
TreeView+ depends on / blocked
 
Reported: 2016-05-09 11:20 UTC by Adam Mariš
Modified: 2019-06-08 21:11 UTC (History)
33 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2018-02-05 07:13:20 UTC


Attachments (Terms of Use)

Description Adam Mariš 2016-05-09 11:20:45 UTC
A use after free vulnerability was found in kernel which allows privilege escalation for users with a local account on the system. When a program was loaded with a bpf program an attacker could exploit this to gain root privileges by an unprivileged user.


When bpf(BPF_PROG_LOAD, ...) was invoked with a BPF program whose bytecode references a non-map file descriptor as a map file descriptor, the error handling code called fdput() twice instead of once (in __bpf_map_get() and in replace_map_fd_with_map_ptr()). If the file descriptor table of the current task is shared, this causes f_count to be decremented too much, allowing the struct file to be freed while it is still in use (use-after-free).

Bug was introduced in 0246e64d9a5f and is exploitable since 1be7f75d1668 without the need for CAP_SYS_ADMIN capability.

Upstream patch:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7

Original report:

https://bugs.chromium.org/p/project-zero/issues/detail?id=808

CVE request:

http://seclists.org/oss-sec/2016/q2/263

Comment 1 Adam Mariš 2016-05-09 11:28:48 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1334311]

Comment 2 Wade Mealing 2016-05-11 01:38:48 UTC
Statement:

This issue does not affect the Linux kernels as shipped with Red Hat Enterprise Linux 5, 6, 7 and Red Hat Enterprise MRG 2.

Comment 5 Fedora Update System 2016-05-14 23:22:33 UTC
kernel-4.5.4-300.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2016-05-25 00:53:19 UTC
kernel-4.4.10-200.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2016-06-02 14:59:22 UTC
kernel-4.5.5-201.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.