[v3.0] kernel: fs: race condition in the handle_to_path function (CVE-2015-1420)
Race condition in the handle_to_path function in fs/fhandle.c in the Linux kernel through 3.19.1 allows local users to bypass intended size restrictions and trigger read operations on additional memory locations by changing the handle_bytes value of a file handle during the execution of this function.
Not found to be fixed upstream at the moment (http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/log/fs/fhandle.c). Not sure if Alpine Linux branches are vulnerable.
References:
http://seclists.org/oss-sec/2015/q1/331
PATCH: http://marc.info/?l=linux-kernel&m=142247707318982&w=2
CONFIRM:https://bugzilla.redhat.com/show\_bug.cgi?id=1187534
(from redmine: issue id 4028, created on 2015-04-06, closed on 2017-09-05)
- Relations:
- parent #4025