Bug 1250047 (CVE-2015-5706) - CVE-2015-5706 kernel: Use-after-free in path lookup
Summary: CVE-2015-5706 kernel: Use-after-free in path lookup
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2015-5706
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1250048
Blocks: 1250052
TreeView+ depends on / blocked
 
Reported: 2015-08-04 12:16 UTC by Adam Mariš
Modified: 2021-02-17 05:03 UTC (History)
38 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A use-after-free flaw was found in the Linux kernels function path_openat() in which incorrectly clears up twice (as part of path_lookupat() called by do_tmpfile()). Clearing twice can lead to a double fput(). A local, unauthenticated user could exploit this flaw to possibly cause a denial of service.
Clone Of:
Environment:
Last Closed: 2016-02-12 14:14:10 UTC


Attachments (Terms of Use)

Description Adam Mariš 2015-08-04 12:16:22 UTC
A flaw was found in the Linux kernels function path_openat() in which would incorrectly clear up twice (as part of path_lookupat() called by
do_tmpfile(). Doing so again can lead to double fput().  This can lead to a use-after free condition.

CVE assignment:
http://seclists.org/oss-sec/2015/q3/270

Introduced in this commit:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bb458c644a59dbba3a1fe59b27106c5e68e1c4bd

Upstream patch:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f15133df088ecadd141ea1907f2c96df67c729f0

OSS-SEC request:
http://seclists.org/oss-sec/2015/q3/371

Comment 1 Adam Mariš 2015-08-04 12:17:07 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1250048]

Comment 2 Adam Mariš 2015-08-18 09:56:13 UTC
According to this, this bug affects only 3.19 and 4.0 kernel versions:
http://seclists.org/oss-sec/2015/q3/371
https://bugzilla.suse.com/show_bug.cgi?id=940339

Comment 3 Wade Mealing 2016-02-04 08:32:09 UTC
Statement: 

This issue does not affect any shipping versions of Red Hat Enterprise Linux kernels. The patch causing the incorrect "double put" condition is not applied to any shipping kernel.

Comment 5 Wade Mealing 2016-02-12 05:56:27 UTC
Updated, now this should be a little clearer.


Note You need to log in before you can comment on or make changes to this bug.