[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request - kernel: find_keyring_by_name() can
From:       Josh Bressers <bressers () redhat ! com>
Date:       2010-04-28 0:11:10
Message-ID: 1196439653.2005101272413470325.JavaMail.root () zmail01 ! collab ! prod ! int ! phx2 ! redhat ! com
[Download RAW message or body]

Please use CVE-2010-1437

Thanks.

-- 
    JB


----- "Eugene Teo" <eugene@redhat.com> wrote:

> Reported by Toshiyuki Okajima. find_keyring_by_name() can gain the 
> keyring which has been already freed. And then, its space (which is 
> gained by find_keyring_by_name()) is broken by accessing the freed 
> keyring as the available keyring:
> 
> 1) If the space of the freed keyring is reallocated for other purpose
> 
> (ie. filp SLUB), the data of the filp object may be destroyed by the 
> user of the freed keyring. (SLUB configuration can share the freed
> space 
> with other same-size slabs.)
> 
> 2) If the slab space of the freed keyring is released into the system,
> 
> the system panic may happen because accessing the space of the freed 
> keyring causes the page-fault.
> 
> Example: (we can easily confirm this problem if CONFIG_SLUB is "y".)
> [1] with CONFIG_SLUB_DEBUG_ON
> While we are executing my reproducer (which is attached), we can
> notice 
> that the user of the freed keyring breaks its space:
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> # ./reproducer &
> ...
> # dmesg
> ...
> =============================================================================
> BUG key_jar: Poison overwritten
> [...]
> 
> More info:
> http://www.gossamer-threads.com/lists/linux/kernel/1216391
> https://patchwork.kernel.org/patch/94038/
> https://bugzilla.redhat.com/show_bug.cgi?id=585094
> 
> Thanks, Eugene
[prev in list] [next in list] [prev in thread] [next in thread]