An use-after-free flaw was discovered in aio_poll() in fs/aio.c in the Linux kernel. A file may be released by aio_poll_wake() if an expected event is triggered immediately (e.g., by the close of a pair of pipes) after the return of vfs_poll(), and this will cause a use-after-free. The use-after-free could possibly be used to create memory corruption or possibly priviledge escalation by a determined attacker. References: https://patchwork.kernel.org/patch/10828359/
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1695075]
The linked patch is actually not sufficient, the patch that went upstream is commit 84c4e1f89fefe70554da0ab33be72c9be7994379 and included in 5.0.5 stable. This was fixed for Fedora with the 5.0.5 stable release.
Upstream patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=84c4e1f89fefe70554da0ab33be72c9be7994379
nullIn reply to comment #2: > The linked patch is actually not sufficient, the patch that went upstream is > commit 84c4e1f89fefe70554da0ab33be72c9be7994379 and included in 5.0.5 stable. > This was fixed for Fedora with the 5.0.5 stable release. Thanks for the patch info, I've updated it.