A race condition was found in Linux kernel present since v3.14-rc1 upto v4.12 including. The race happens between threads of inotify_handle_event() and vfs_rename() while running the rename operation against the same file. As a result of the race the the next slab data or the slab's free list pointer can be corrupted with attacker-controlled data, which may lead to the privilege escalation. The researchers of this flaw are Leilei Lin from Alibaba Group and Fan Wu and Shixiong Zhao from a research group supervised by Dr. Heming Cui of the Department of Computer Science, The University of Hong Kong. Thanks to Rui Gu and Prof.Junfeng Yang from Columbia University for tools and suggestions. References: http://seclists.org/oss-sec/2017/q3/240 https://access.redhat.com/security/vulnerabilities/3112931 https://patchwork.kernel.org/patch/9755753/ https://patchwork.kernel.org/patch/9755757/ https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1408967.html https://bugzilla.kernel.org/show_bug.cgi?id=196279 (restricted access) Upstream patch: 49d31c2f389a https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=49d31c2f389acfe83417083e1208422b4091cd9
Created attachment 1296934 [details] dmesg-slub-debug.txt
Statement: This issue does not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 5, 6, 7.0 and 7.1 as the code with the flaw is not present in the products listed. This issue affects the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 7.2 and newer and Red Hat Enterprise MRG 2. Future kernel updates for these products may address this issue.
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1478086]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2473 https://access.redhat.com/errata/RHSA-2017:2473
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2585 https://access.redhat.com/errata/RHSA-2017:2585
This issue has been addressed in the following products: Red Hat Enterprise MRG 2 Via RHSA-2017:2669 https://access.redhat.com/errata/RHSA-2017:2669
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.3 Extended Update Support Via RHSA-2017:2770 https://access.redhat.com/errata/RHSA-2017:2770
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.2 Extended Update Support Via RHSA-2017:2869 https://access.redhat.com/errata/RHSA-2017:2869
Acknowledgments: Name: Leilei Lin (Alibaba Group), Fan Wu (The University of Hong Kong), Shixiong Zhao (The University of Hong Kong), Shankara Pailoor (Columbia University), Andrew Aday (Columbia University)