[v3.2] kernel: Use-after-free in path lookup (CVE-2015-5706)
path_openat() jumps to the wrong place after do_tmpfile() - it has
already done path_cleanup() (as part of path_lookupat() called by
do_tmpfile()), so doing that again can lead to double fput().
Bug was introduced in Linux 3.11-rc1 by:
commit 60545d0d4610b02e55f65d141c95b18ccf855b6e
Author: Al Viro <viro () zeniv linux org uk>
Date: Fri Jun 7 01:20:27 2013 –0400
[O_TMPFILE] it’s still short a few helpers, but infrastructure should be OK now…
Signed-off-by: Al Viro <viro () zeniv linux org uk>
Fixed in 4.1-rc3 by:
commit f15133df088ecadd141ea1907f2c96df67c729f0
Author: Al Viro <viro () zeniv linux org uk>
Date: Fri May 8 22:53:15 2015 –0400
path_openat(): fix double fput()
path_openat() jumps to the wrong place after do_tmpfile() - it has
already done path_cleanup() (as part of path_lookupat() called by
do_tmpfile()), so doing that again can lead to double fput().
Cc: stable () vger kernel org # v3.11+
Signed-off-by: Al Viro <viro () zeniv linux org uk>
The fix was also included in the following stable releases:
v3.13.11-ckt22: d8ef4f4c5465 path_openat(): fix double fput()
v3.16.7-ckt12: bedf03d0b88d path_openat(): fix double fput()
v3.18.15: f42b455331b5 path_openat(): fix double fput()
v3.19.8-ckt1: cf32bb6d9d18 path_openat(): fix double fput()
upstream commit:
f15133df088ecadd141ea1907f2c96df67c729f0
linux-3.18.y commit:
f42b455331b5eb2ef5f2cecab28941eb1fada554
linux-3.14.y commit:
none
Reference:
http://seclists.org/oss-sec/2015/q3/277
> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f15133df088ecadd141ea1907f2c96df67c729f0
(from redmine: issue id 4596, created on 2015-08-26, closed on 2017-05-19)
- Relations:
- parent #4593 (closed)