[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Linux kernel: user-triggerable read-after-free crash or 1-bit infoleak oracle in 
From:       Solar Designer <solar () openwall ! com>
Date:       2020-01-28 23:50:22
Message-ID: 20200128235022.GA30755 () openwall ! com
[Download RAW message or body]

On Tue, Jan 28, 2020 at 10:48:10PM +0100, Solar Designer wrote:
> I intend to request a CVE ID and post it as a follow-up to this thread.

"Use CVE-2020-8428."

> Al Viro found and analyzed the security impact of and fixed a bug in
> Linux 4.19+ where open(2)'s eventual call to may_create_in_sticky() was
> "done when we already have dropped the reference to dir" and thus with
> dir (a "struct dentry" pointer) being potentially stale and potentially
> pointing to reused memory.

> The bug was introduced with commit 30aba6656f61 and first included in
> Linux 4.19.  Al fixed it with commit d0cb50185ae9 two days ago, and the
> fix is already in Linux 5.5 and Greg KH is getting it into stable.

Alexander
[prev in list] [next in list] [prev in thread] [next in thread]