Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 4 Nov 2010 07:16:11 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: coley <coley@...re.org>
Subject: Re: CVE request: kernel stack infoleaks

----- "Jon Oberheide" <jon@...rheide.org> wrote:

> Vasiliy Kulikov discovered three kernel stack infoleaks in various
> packet families of the net subsystem:
> 
> ===========================================================
> 
> net/ax25
> 
> Sometimes ax25_getname() doesn't initialize all members of fsa_digipeater
> field of fsa struct.  This structure is then copied to userland.  It
> leads to leaking of contents of kernel stack memory.  We have to
> initialize them to zero.
> 
> http://marc.info/?l=linux-netdev&m=128854507120898&w=2
> 

Use CVE-2010-3875 for this one.


> ===========================================================
> 
> net/packet
> 
> packet_getname_spkt() doesn't initialize all members of sa_data field of
> sockaddr struct if strlen(dev->name) < 13.  This structure is then copied
> to userland.  It leads to leaking of contents of kernel stack memory.  We
> have to fully fill sa_data with strncpy() instead of strlcpy().
> 
> http://marc.info/?l=linux-netdev&m=128854507220908&w=2
> 

CVE-2010-3876


> ===========================================================
> 
> net/tipc
> 
> Structure sockaddr_tipc is copied to userland with padding bytes after
> "id" field in union field "name" unitialized.  It leads to leaking of
> contents of kernel stack memory.  We have to initialize them to zero.
> 
> http://marc.info/?l=linux-netdev&m=128854507420917&w=2
> 

CVE-2010-3877

Thanks.

-- 
    JB

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ