lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <37574411-707e-89c9-5e77-35b254337664@huawei.com>
Date:   Thu, 10 Mar 2022 23:16:55 +0800
From:   "wanghai (M)" <wanghai38@...wei.com>
To:     "viro@...iv.linux.org.uk" <viro@...iv.linux.org.uk>,
        "maz@...nel.org" <maz@...nel.org>, <jbaron@...mai.com>,
        <akpm@...ux-foundation.org>, <khazhy@...gle.com>,
        <kaleshsingh@...gle.com>, <dbueso@...e.de>
CC:     linux-kernel <linux-kernel@...r.kernel.org>,
        <linux-fsdevel@...r.kernel.org>
Subject: epoll: Does anyone know about CVE-2021-39634

I've spent a long time and can't figure out the details of the following 
CVE, can anyone help me?

CVE-2021-39634 [1]
In fs/eventpoll.c, there is a possible use after free.

I have two questions:
1. How does the UAF problem happen?
2. Why it can be fixed by commit f8d4f44df056 ("epoll: do not insert 
into poll queues until all sanity checks are done") [2]

I'm guessing that patch [3] solved a problem similar to [4], is this 
correct?

Any feedback would be appreciated, thanks.

[1] https://nvd.nist.gov/vuln/detail/CVE-2021-39634
[2] https://www.linuxkernelcves.com/cves/CVE-2021-39634
[3] 
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=f8d4f44df056c5b504b0d49683fb7279218fd207
[4] 
https://cloudfuzz.github.io/android-kernel-exploitation/chapters/root-cause-analysis.html

-- 
Wang Hai

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ