Linux Kernel 3.12.3 ioctx_alloc local system crash

2014.04.01
Credit: Sasha Levin
Risk: Medium
Local: Yes
Remote: No
CVE: CVE-2013-7348
CWE: CWE-399


CVSS Base Score: 4.6/10
Impact Subscore: 6.4/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

aio: prevent double free in ioctx_alloc ioctx_alloc() calls aio_setup_ring() to allocate a ring. If aio_setup_ring() fails to do so it would call aio_free_ring() before returning, but ioctx_alloc() would call aio_free_ring() again causing a double free of the ring. This is easily reproducible from userspace. diff --git a/fs/aio.c b/fs/aio.c index ee77dc1..6313533 100644 --- a/fs/aio.c +++ b/fs/aio.c @@ -610,7 +610,6 @@ static struct kioctx *ioctx_alloc(unsigned nr_events) err_cleanup: aio_nr_sub(ctx->max_reqs); err: - aio_free_ring(ctx); free_percpu(ctx->cpu); free_percpu(ctx->reqs.pcpu_count); free_percpu(ctx->users.pcpu_count);

References:

https://github.com/torvalds/linux/commit/d558023207e008a4476a3b7bb8706b2a2bf5d84f
http://www.openwall.com/lists/oss-security/2014/03/31/10
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.12.4
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=d558023207e008a4476a3b7bb8706b2a2bf5d84f


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top