Headline
CVE-2017-6874: ucount: Remove the atomicity from ucount->count · torvalds/linux@040757f
Race condition in kernel/ucount.c in the Linux kernel through 4.10.2 allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via crafted system calls that leverage certain decrement behavior that causes incorrect interaction between put_ucounts and get_ucounts.
Commit
Permalink
Browse files
Browse the repository at this point in the history
ucount: Remove the atomicity from ucount->count
Always increment/decrement ucount->count under the ucounts_lock. The increments are there already and moving the decrements there means the locking logic of the code is simpler. This simplification in the locking logic fixes a race between put_ucounts and get_ucounts that could result in a use-after-free because the count could go zero then be found by get_ucounts and then be freed by put_ucounts.
A bug presumably this one was found by a combination of syzkaller and KASAN. JongWhan Kim reported the syzkaller failure and Dmitry Vyukov spotted the race in the code.
Cc: stable@vger.kernel.org Fixes: f6b2db1 (“userns: Make the count of user namespaces per user”) Reported-by: JongHwan Kim zzoru007@gmail.com Reported-by: Dmitry Vyukov dvyukov@google.com Reviewed-by: Andrei Vagin avagin@gmail.com Signed-off-by: “Eric W. Biederman” ebiederm@xmission.com
- Loading branch information