Headline
CVE-2017-6874: ucount: Remove the atomicity from ucount->count · torvalds/linux@040757f
Race condition in kernel/ucount.c in the Linux kernel through 4.10.2 allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via crafted system calls that leverage certain decrement behavior that causes incorrect interaction between put_ucounts and get_ucounts.
Commit
Permalink
Browse files
Browse the repository at this point in the history
ucount: Remove the atomicity from ucount->count
Always increment/decrement ucount->count under the ucounts_lock. The increments are there already and moving the decrements there means the locking logic of the code is simpler. This simplification in the locking logic fixes a race between put_ucounts and get_ucounts that could result in a use-after-free because the count could go zero then be found by get_ucounts and then be freed by put_ucounts.
A bug presumably this one was found by a combination of syzkaller and KASAN. JongWhan Kim reported the syzkaller failure and Dmitry Vyukov spotted the race in the code.
Cc: [email protected] Fixes: f6b2db1 (“userns: Make the count of user namespaces per user”) Reported-by: JongHwan Kim [email protected] Reported-by: Dmitry Vyukov [email protected] Reviewed-by: Andrei Vagin [email protected] Signed-off-by: “Eric W. Biederman” [email protected]
- Loading branch information