Date: Tue, 18 Aug 2009 16:58:43 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security@...ts.openwall.com
cc: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE request: kernel: parisc: isa-eeprom missing
 lower bound check


I wasn't sure how to interpret the phrase "poke in random memory" from the
bug comment and there wasn't enough source code context, so I guessed that
the impact is reading unexpected memory, but maybe it's also a crash or
whatever.

- Steve


======================================================
Name: CVE-2009-2846
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2846
Reference: MLIST:[oss-security] 20090810 CVE request: kernel: parisc: isa-eeprom missing lower bound check
Reference: URL:http://www.openwall.com/lists/oss-security/2009/08/10/1
Reference: MLIST:[oss-security] 20090818 Re: CVE request: kernel: parisc: isa-eeprom missing lower bound check
Reference: URL:http://www.openwall.com/lists/oss-security/2009/08/18/6
Reference: CONFIRM:http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=6b4dbcd86a9d464057fcc7abe4d0574093071fcc

The eisa_eeprom_read function in the parisc isa-eeprom component
(drivers/parisc/eisa_eeprom.c) in the Linux kernel before 2.6.31-rc6
allows local users to access restricted memory via a negative ppos
argument, which bypasses a check that assumes that ppos is positive
and causes an out-of-bounds read in the readb function.

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ