Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 01 Aug 2015 17:37:42 +0100
From: Ben Hutchings <>
To: oss-security <>
Cc:, Brad Spengler <>
Subject: CVE request: Use-after-free in path lookup in Linux 3.11-4.0

Bug was introduced in Linux 3.11-rc1 by:

commit 60545d0d4610b02e55f65d141c95b18ccf855b6e
Author: Al Viro <>
Date:   Fri Jun 7 01:20:27 2013 -0400

    [O_TMPFILE] it's still short a few helpers, but infrastructure should be OK now...
    Signed-off-by: Al Viro <>

Fixed in 4.1-rc3 by:

commit f15133df088ecadd141ea1907f2c96df67c729f0
Author: Al Viro <>
Date:   Fri May 8 22:53:15 2015 -0400

    path_openat(): fix double fput()
    path_openat() jumps to the wrong place after do_tmpfile() - it has
    already done path_cleanup() (as part of path_lookupat() called by
    do_tmpfile()), so doing that again can lead to double fput().
    Cc:  # v3.11+
    Signed-off-by: Al Viro <>

Thanks to Brad Spengler for pointing this out:<>

The fix was also included in the following stable releases:

v3.13.11-ckt22: d8ef4f4c5465 path_openat(): fix double fput()
v3.16.7-ckt12: bedf03d0b88d path_openat(): fix double fput()
v3.18.15: f42b455331b5 path_openat(): fix double fput()
v3.19.8-ckt1: cf32bb6d9d18 path_openat(): fix double fput()
v4.0.4: 335d3678d60d path_openat(): fix double fput()


Ben Hutchings
One of the nice things about standards is that there are so many of them.

Download attachment "signature.asc" of type "application/pgp-signature" (812 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.