Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CALJHwhQrWQ-TZ2cO=L3v8AVt-OOXGRvdXgtMxABKz6XFnXg9Aw@mail.gmail.com>
Date: Wed, 15 Jun 2016 16:29:50 +1000
From: Wade Mealing <wmealing@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2016-4470: Linux kernel Uninitialized variable in request_key
 handling user controlled kfree().

Gday,

A flaw was found in the Linux kernels keyring handling code, where in
key_reject_and_link() there's an uninitialised variable that isn't set
by __key_link_begin() on the destination keyring if that function
fails.

If a destination keyring was supplied, then __key_link_end() is called
whether or not __key_link_begin() succeeded, with the result that the
edit pointers contains members which end up being freed.   These are
the user controlled addresses that can exist from previous memory
contents.

Thanks,

Wade Mealing
Product Security Team

Resources:

https://bugzilla.redhat.com/show_bug.cgi?id=1341716

Patch:
https://www.spinics.net/lists/linux-kernel-janitors/msg26069.html

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.