[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Security issue in Linux Kernel Keyring (CVE-2015-1333)
From: Tyler Hicks <tyhicks () canonical ! com>
Date: 2015-07-28 17:26:33
Message-ID: 20150728172632.GA3132 () boyd
[Download RAW message or body]
On 2015-07-27 09:18:55, Tyler Hicks wrote:
> While improving the system call coverage in stress-ng[1], Colin Ian King
> discovered a bug in the Linux kernel keyring that can be used to cause a
> local denial of service due to memory exhaustion when the same key is
> repeatedly added to the kernel keyring via the add_key() syscall.
>
> This issue has been assigned CVE-2015-1333.
mancha pinged me on IRC while trying to figure out what kernel versions
are affected and I realized that I forgot to include an import detail in
my original email.
The following commit introduced the issue:
commit 034faeb9ef390d58239e1dce748143f6b35a0d9b
Date: Wed Oct 30 11:15:24 2013 +0000
KEYS: Fix keyring quota misaccounting on key replacement and unlink
Which means that v3.13 and newer kernels are affected:
$ git describe --contains 034faeb9ef390d58239e1dce748143f6b35a0d9b
v3.13-rc1~18^2~6^2~2
Tyler
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic