[yocto-security] FW: Linux kernel: use after free in keyring facility.
Sona Sarmadi
sona.sarmadi at enea.com
Wed Jan 20 23:28:21 PST 2016
FYI,
More info:
http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/
http://www.theregister.co.uk/2016/01/19/linux_kernel_keyrings_get_privilege_escalation_patch/
//Sona
> -----Original Message-----
> From: Wade Mealing [mailto:wmealing at redhat.com]
> Sent: den 19 januari 2016 12:59
> To: OSS Security List <oss-security at lists.openwall.com>
> Subject: [oss-security] Linux kernel: use after free in keyring facility.
>
> Gday,
>
> It was reported that possible use-after-free vulnerability in keyring
> facility, possibly leading to local privilege escalation was found. The
> function join_session_keyring in security/keys/process_keys.c holds a
> reference to the requested keyring, but if that keyring is the same as the
> one being currently used by the process, the kernel wouldn't decrease
> keyring->usage before returning to userspace. The usage field can be
> overflowed causing use-after-free on the keyring object.
>
> This was introduced in commit
> 3a50597de8635cd05133bd12c95681c82fe7b878.
>
> Perception point reported this vulnerability to Red Hat and it has been
> assigned CVE-2016_0728.
>
> Red Hat Bugzilla flaw:
> https://bugzilla.redhat.com/show_bug.cgi?id=1297475
>
> Investigation:
> http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-
> linux-kernel-vulnerability-cve-2016-0728/
>
> Patches will be available shortly with the upstream fix and are also
> explained in the investigation link above.
More information about the yocto-security
mailing list