KASAN Spots Another Kernel Vulnerability From Early Linux 2.6 Through 4.20

Written by Michael Larabel in Linux Kernel on 20 February 2019 at 03:11 PM EST. 46 Comments
LINUX KERNEL
The Kernel Address Sanitizer (KASAN) that detects dynamic memory errors within the Linux kernel code has just picked up another win with uncovering a use-after-free vulnerability that's been around since the early Linux 2.6 kernels.

KASAN (along with the other sanitizers) have already proven quite valuable in spotting various coding mistakes hopefully before they are exploited in the real-world. The Kernel Address Sanitizer picked up another feather in its hat with being responsible for the CVE-2019-8912 discovery.

A use-after-free issue was found in the networking subsystem's sockfs code and looks like it could lead to arbitrary code execution as a result.

The issue was reported last week by a Huawei engineer and was fixed in Linux Git shortly thereafter. As of today's Linux 4.20.11 kernel release it doesn't appear yet carrying this patch, but should land in the various stable/long-term branches soon.

More details on this vulnerability via nist.gov.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week