Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20140304105848.GM12584@dhcp-25-225.brq.redhat.com>
Date: Tue, 4 Mar 2014 11:58:48 +0100
From: Petr Matousek <pmatouse@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2014-0100 -- Linux kernel: net: inet frag code race condition
 leading to user-after-free

A very subtle race condition between inet_frag_evictor,
inet_frag_intern and the IPv4/6 frag_queue and expire functions
(basically the users of inet_frag_kill/inet_frag_put) was found.

What happens is that after a fragment has been added to the hash chain
but before it's been added to the lru_list (inet_frag_lru_add), it may
get deleted (either by an expired timer if the system load is high or
the timer sufficiently low, or by the fraq_queue function for different
reasons) before it's added to the lru_list, then after it gets added
it's a matter of time for the evictor to get to a piece of memory which
has been freed leading to a number of different bugs depending on what's
left there.

Introduced by:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=3ef0eb0d

Upstream patch submission:
http://patchwork.ozlabs.org/patch/325844/

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1070618

-- 
Petr Matousek / Red Hat Security Response Team
PGP: 0xC44977CA 8107 AF16 A416 F9AF 18F3  D874 3E78 6F42 C449 77CA

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.