Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <1862982385.592341285702955007.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com>
Date: Tue, 28 Sep 2010 15:42:35 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE request - kernel: pktcdvd ioctl dev_minor
 missing range check

Please use CVE-2010-3437

Thanks.

-- 
    JB


----- "Eugene Teo" <eugeneteo@...nel.sg> wrote:

> As Dan Rosenberg explained in the patch commit: The
> PKT_CTRL_CMD_STATUS 
> device ioctl retrieves a pointer to a pktcdvd_device from the global 
> pkt_devs array.  The index into this array is provided directly by the
> 
> user and is a signed integer, so the comparison to ensure that it
> falls 
> within the bounds of this array will fail when provided with a
> negative 
> index.
> 
> This can be used to read arbitrary kernel memory or cause a crash due
> to 
> an invalid pointer dereference.  This can be exploited by users with 
> permission to open /dev/pktcdvd/control (on many distributions, this
> is 
> readable by group "cdrom").
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=638085
> http://git.kernel.org/linus/252a52aa4fa22a668f019e55b3aac3ff71ec1c29
> 
> This was introduced in 2f8e2dc8 (v2.6.10-rc1).
> 
> Thanks, Eugene
> -- 
> main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i);
> }

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.