Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20151027083712.GA1560@chrystal.uk.oracle.com>
Date: Tue, 27 Oct 2015 09:37:12 +0100
From: Quentin Casasnovas <quentin.casasnovas@...cle.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: CVE-2015-6937 - Linux kernel - NULL pointer
 dereference in net/rds/connection.c

On Mon, Sep 14, 2015 at 03:34:59PM -0400, cve-assign@...re.org wrote:
> CVE-2015-6937 has been assigned to this issue that is exploitable "on
> sockets that weren't properly bound before attempting to send a
> message":
> 
>   https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=74e98eb085889b0d2d4908f59f6e00026063014f
> 

The above fix is incomplete and still allows to trigger a NULL pointer
dereference when sending a message.  The root cause of this problem is a
race condition when checking that the socket is bound in rds_sendmsg(),
more information and a complete fix can be found here:

  https://lkml.org/lkml/2015/10/16/530

It should hit Linus' tree soon but since distributions already started
shipping the incomplete fix, I thought it would be wise to mention this
here.

Quentin

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.