oss-sec mailing list archives

Re: Linux Kernel use-after-free in SCSI generic device interface

From: <cve-assign () mitre org>
Date: Fri, 30 Dec 2016 12:57:19 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Linus has committed a fix for this to mainline:

commit a0ac402cfcdc904f9772e1762b3fda112dcc56a0

whilst the originally identified
commit does partly address the issue, the completed fix for the sg and
bsg driver appears to be 128394eff343fc6d2f32172f03e24829539c5835.


Use CVE-2016-10088 for the vulnerability that remains after
a0ac402cfcdc904f9772e1762b3fda112dcc56a0.

The a0ac402cfcdc904f9772e1762b3fda112dcc56a0 code change is in 4.8.14,
but the 128394eff343fc6d2f32172f03e24829539c5835 code change is not.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYZp9JAAoJEHb/MwWLVhi2fIIP/RHrAePUQrejGdzGBsGEVGEr
eU0RWwNYthutvvKOV0L96oOdLjbjkptp3Q4CWdcny1F39G7e2r7kgt0isSsnveJu
TubQ87XWPslY0jzooSGhreGoPB31pmueFZDuVt0f1eYGwXQdWCRH9z59jPyOFQaV
CLVekCk5ms1pfvhKbNig6YEuuqSD6RSqEcDw3c4SwAuD/rzxwQtElOP7xo3YlH+z
tho/AngjFq7hVvzpNfOP75rPHWS0TTatMYyr8NqOTZI+6WukwvC3uXGT21lKzD8J
rzH8sJ7Hv+p/I2gUDCzINcQ9BdzT0uu3la5KbdhCxjZbkMH24sZ1M4IflzxnzwiQ
HZicaQMG7RY4Q/QRDBnssI7LSFxKhZ/puh7gRsCHtRexEUQy3veGNFfTOyga/TgB
5ITNA0g6Y0AFIQS2B2eF5+4g+A21LryqZhsBJP4C8knVae9MwaRgnJ0qdAc/MObc
s1Oxx63jJbd2wqHO0ybTPG41CnUuBNIVB90HGwLPDw0o06IZq1S7vbG/X/IkVfxC
PtE8fwNCKpR1GW8n7sPTWDMrs7qMHfxKp8ES0u+HXW2cs6jcz4CJigMfDj+uQHO0
uJJYwROyfO07RV9MS1R4+kpHq/5XrEx7ka/YjSwMulIHdALJjBSpL3sipOTzNrxa
lxseS32rE8umc+Pgz32C
=9EjT
-----END PGP SIGNATURE-----

Current thread:

Linux Kernel use-after-free in SCSI generic device interface Marcus Meissner (Dec 08)
- Re: Linux Kernel use-after-free in SCSI generic device interface Salvatore Bonaccorso (Dec 30)
  - Re: Linux Kernel use-after-free in SCSI generic device interface cve-assign (Dec 30)