oss-security - Security issue in Linux Kernel Keyring (CVE-2015-1333)

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Message-ID: <20150727141855.GA14038@boyd>
Date: Mon, 27 Jul 2015 09:18:55 -0500
From: Tyler Hicks <tyhicks@...onical.com>
To: oss-security@...ts.openwall.com
Cc: David Howells <dhowells@...hat.com>,
	Colin Ian King <colin.king@...onical.com>, security@...ntu.com
Subject: Security issue in Linux Kernel Keyring (CVE-2015-1333)

While improving the system call coverage in stress-ng[1], Colin Ian King
discovered a bug in the Linux kernel keyring that can be used to cause a
local denial of service due to memory exhaustion when the same key is
repeatedly added to the kernel keyring via the add_key() syscall.

This issue has been assigned CVE-2015-1333.

I've attached the fix since I don't yet have an upstream git commit
hash.

Tyler

[1] http://kernel.ubuntu.com/~cking/stress-ng/

View attachment "CVE-2015-1333.patch" of type "text/x-diff" (1382 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.