A flaw was found in the way ping_init_sock() function handled group_info struct reference counter. Since group_info refcounter is only incremented but never decremented in this codepath, it could lead to refcounter overflow and possibly to use-after-free issue later. An unprivileged local user could use this flaw to crash the system or, potentially, escalate their privileges on the system. Upstream patch proposal: https://lkml.org/lkml/2014/4/10/736
Statement: This issue does not affect Linux kernel packages as shipped with Red Hat Enterprise Linux 5.
Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=b04c46190219a4f845e46a459e3102137b7f6cac
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1087420]
kernel-3.13.10-200.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
kernel-3.13.11-100.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: MRG for RHEL-6 v.2 Via RHSA-2014:0557 https://rhn.redhat.com/errata/RHSA-2014-0557.html
This issue has been addressed in following products: Red Hat Enterprise Linux 7 Via RHSA-2014:0786 https://rhn.redhat.com/errata/RHSA-2014-0786.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2014:0981 https://rhn.redhat.com/errata/RHSA-2014-0981.html
IssueDescription: A use-after-free flaw was found in the way the ping_init_sock() function of the Linux kernel handled the group_info reference counter. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system.
This issue has been addressed in following products: Red Hat Enterprise Linux 6.4 EUS - Server and Compute Node Only Via RHSA-2014:1101 https://rhn.redhat.com/errata/RHSA-2014-1101.html
interesting discussion of exploitability: https://cyseclabs.com/page?n=02012016