Ben Hutchings: > I don't see any need for holding a reference to vma->vm_prfile here. > > There is also a similar bug in madvise_remove() which I can trigger by > calling madvise(..., MADV_REMOVE) in parallel with another thread that > does mmap() and munmap() of the same address range.
Did you test mmap()/munmap() using the same opened-file-object with the original mmap/madvise? As I wrote in http://www.openwall.com/lists/oss-security/2015/09/10/4 I still think to get/put(vm_prfile) is necessary. > This bug has some security impact (at least a minor DoS, but possible > privilege escalation) so I'm going to request a CVE ID for it. Would you explain the possible scenario of the privilege escalation? J. R. Okajima ------------------------------------------------------------------------------
