A use after free vulnerability was found in ppp_unregister_channel function. This is triggered when network namespace is removed while ppp_async channel is still registered in it and ppp_unregister_channel() tries to access its per-netns data in the defunct namespace. An attacker who could control this memory that is being used in the defunct namespace could create a denial of service by spinlocking a CPU. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. Upstream patch: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=1f461dcdd296eecedaffffc6bae2bfa90bd7eb89 CVE request: http://seclists.org/oss-sec/2016/q2/319
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1335804]
CVE assignment: http://seclists.org/oss-sec/2016/q2/346 Introduced by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=273ec51dd7ceaa76e038875d85061ec856d8905e
Statement: This issue affects the Linux kernels as shipped with Red Hat Enterprise Linux 6, 7 realtime and MRG-2 kernels and does not plan to be addressed in a future update