medium
5.5
CWE
416
Advisory Published
CVE Published
Updated

CVE-2014-0203: Use After Free

First published: Mon May 05 2014(Updated: )

It was found that proc_ns_follow_link() doesn't return LAST_BIND (unlike proc_pid_follow_link()) which leads to the slab corruption caused by (excessive) putname() in do_filp_open(). The slab corruption later manifests itself in the form of BUG() in cache_alloc_refill() when performing "$ echo &gt; /proc/$$/ns/pid" -- kernel BUG at mm/slab.c:3069! invalid opcode: 0000 [#1] SMP last sysfs file: /sys/devices/system/node/node0/meminfo CPU 1 Modules linked in: Pid: 2249, comm: bash Not tainted 2.6.32-431.5.1.el6.x86_64 #1 RIP: 0010:[&lt;ffffffff8116ed14&gt;] [&lt;ffffffff8116ed14&gt;] cache_alloc_refill+0x1e4/0x240 RSP: 0018:ffff88007b69fe38 EFLAGS: 00010082 RAX: 000000000000000c RBX: ffff88007ec30f00 RCX: 00000000ffffffff RDX: 000000000000000c RSI: 0000000000000000 RDI: ffff88007fa96580 RBP: ffff88007b69fe98 R08: 0000000000000000 R09: 000000000000002a R10: 0000000000000076 R11: 0000000000000000 R12: ffff88007fa96580 R13: ffff88007fae8c40 R14: 000000000000000c R15: ffff88007d9386c0 FS: 00007f6f8819b700(0000) GS:ffff88000c420000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000006d3d88 CR3: 00000000374d1000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process bash (pid: 2249, threadinfo ffff88007b69e000, task ffff8800379a5540) Stack: ffff88007b69fe58 00000000811a1edf ffff88007fae8c80 000412d07bdf1500 ffff88007fae8c60 ffff88007fae8c50 ffff88007b69feb8 0000000001440530 00000000000000d0 ffff88007ec30f00 00000000000000d0 0000000000000246 Call Trace: [&lt;ffffffff8116fdcf&gt;] kmem_cache_alloc+0x15f/0x190 [&lt;ffffffff81196ff7&gt;] getname+0x47/0x240 [&lt;ffffffff81185ce2&gt;] do_sys_open+0x32/0x140 [&lt;ffffffff81185e30&gt;] sys_open+0x20/0x30 [&lt;ffffffff8100b072&gt;] system_call_fastpath+0x16/0x1b Code: 89 ff e8 70 57 12 00 eb 99 66 0f 1f 44 00 00 41 c7 45 60 01 00 00 00 4d 8b 7d 20 4c 39 7d c0 0f 85 f2 fe ff ff eb 84 0f 0b eb fe &lt;0f&gt; 0b 66 2e 0f 1f 84 00 00 00 00 00 eb f4 8b 55 ac 8b 75 bc 31 RIP [&lt;ffffffff8116ed14&gt;] cache_alloc_refill+0x1e4/0x240 RSP &lt;ffff88007b69fe38&gt; An unprivileged local user could use this flaw to crash the system. Upstream fix: <a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=86acdca1b63e6890540fa19495cfc708beff3d8b">http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=86acdca1b63e6890540fa19495cfc708beff3d8b</a> Acknowledgements: Red Hat would like to thank Vladimir Davydov of Parallels for reporting this issue.

Credit: secalert@redhat.com secalert@redhat.com

Affected SoftwareAffected VersionHow to fix
Linux Linux kernel<2.6.33
Oracle Linux=5
Oracle Linux=6
debian/linux
5.10.223-1
5.10.226-1
6.1.115-1
6.1.112-1
6.11.7-1
6.11.9-1

Remedy

https://bugzilla.redhat.com/show_bug.cgi?id=1094363

Remedy

https://github.com/torvalds/linux/commit/86acdca1b63e6890540fa19495cfc708beff3d8b

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203