Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1334307 - (CVE-2016-4557) CVE-2016-4557 kernel: Use after free vulnerability via double fdput
CVE-2016-4557 kernel: Use after free vulnerability via double fdput
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20160426,repo...
: Security
Depends On: 1334311 1346578
Blocks: 1334304
  Show dependency treegraph
 
Reported: 2016-05-09 07:20 EDT by Adam Mariš
Modified: 2018-02-12 15:16 EST (History)
33 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-02-05 02:13:20 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Adam Mariš 2016-05-09 07:20:45 EDT 
A use after free vulnerability was found in kernel which allows privilege escalation for users with a local account on the system. When a program was loaded with a bpf program an attacker could exploit this to gain root privileges by an unprivileged user.


When bpf(BPF_PROG_LOAD, ...) was invoked with a BPF program whose bytecode references a non-map file descriptor as a map file descriptor, the error handling code called fdput() twice instead of once (in __bpf_map_get() and in replace_map_fd_with_map_ptr()). If the file descriptor table of the current task is shared, this causes f_count to be decremented too much, allowing the struct file to be freed while it is still in use (use-after-free).

Bug was introduced in 0246e64d9a5f and is exploitable since 1be7f75d1668 without the need for CAP_SYS_ADMIN capability.

Upstream patch:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7

Original report:

https://bugs.chromium.org/p/project-zero/issues/detail?id=808

CVE request:

http://seclists.org/oss-sec/2016/q2/263
Comment 1 Adam Mariš 2016-05-09 07:28:48 EDT 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1334311]
Comment 2 Wade Mealing 2016-05-10 21:38:48 EDT 
Statement:

This issue does not affect the Linux kernels as shipped with Red Hat Enterprise Linux 5, 6, 7 and Red Hat Enterprise MRG 2.
Comment 5 Fedora Update System 2016-05-14 19:22:33 EDT 
kernel-4.5.4-300.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2016-05-24 20:53:19 EDT 
kernel-4.4.10-200.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2016-06-02 10:59:22 EDT 
kernel-4.5.5-201.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.