Description: user-triggerable read-after-free crash or 1-bit infoleak oracle in open(2)
References:
 https://www.openwall.com/lists/oss-security/2020/01/28/2
Notes:
 carnil> The issue go introduced with 30aba6656f61 ("namei: allow
 carnil> restricted O_CREAT of FIFOs and regular files") in 4.19-rc1
 carnil> which got backported to 4.4.166, 4.9.142 and 4.14.85.
 carnil> Needs a regression update:
 carnil> https://lore.kernel.org/lkml/20200201162645.GJ23230@ZenIV.linux.org.uk/
 carnil> which is applied in mainline as 6404674acd59 ("vfs: fix
 carnil> do_last() regression"). See:
 carnil> https://syzkaller.appspot.com/bug?extid=190005201ced78a74ad6
Bugs:
upstream: released (5.5) [d0cb50185ae942b03c4327be322055d622dc79f6]
4.19-upstream-stable: released (4.19.100) [752f72edea55f9b7c6fd019e71365def13a0f2b6]
4.9-upstream-stable: released (4.9.212) [51772996274874a6bccda05b827f92582ce7b565]
3.16-upstream-stable: N/A "Vulnerable code introduced later with 30aba6656f61"
sid: released (5.4.19-1)
4.19-buster-security: released (4.19.98-1+deb10u1) [bugfix/all/do_last-fetch-directory-i_mode-and-i_uid-before-it-s.patch]
4.9-stretch-security: released (4.9.210-1+deb9u1) [bugfix/all/do_last-fetch-directory-i_mode-and-i_uid-before-it-s.patch]
3.16-jessie-security: N/A "Vulnerable code introduced later"