Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <1410041057.3565448.1515156752734.JavaMail.zimbra@redhat.com>
Date: Fri, 5 Jan 2018 07:52:32 -0500 (EST)
From: Vladis Dronov <vdronov@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2017-15129: Linux kernel: net: double-free and memory
 corruption in get_net_ns_by_id()

Heololo,

A use-after-free vulnerability was found in a network namespaces code affecting the Linux
kernel since  v4.0-rc1 through v4.15-rc5. The function get_net_ns_by_id() does not check
for the net::count value after it has found a peer network in netns_ids idr which could
lead to double free and memory corruption. This vulnerability could allow an unprivileged
local user to induce kernel memory corruption on the system, leading to a crash. Due to
the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe
it is unlikely.

References:

https://marc.info/?l=linux-netdev&m=151370451121029&w=2

https://marc.info/?t=151370468900001&r=1&w=2 (a whole thread)

https://bugzilla.redhat.com/show_bug.cgi?id=1531174

An upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=21b5944350052d2583e82dd59b19a9ba94a007f0

Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.