Date: Fri, 31 Dec 2010 12:53:11 +0530 From: Huzaifa Sidhpurwala <huzaifas@...hat.com> To: oss-security@...ts.openwall.com CC: Dan Rosenberg <dan.j.rosenberg@...il.com> Subject: Re: CVE request: kernel: buffer overflow in OSS load_mixer_volumes On 12/31/2010 05:32 AM, Dan Rosenberg wrote: > "The load_mixer_volumes() function, which can be triggered by > unprivileged users via the SOUND_MIXER_SETLEVELS ioctl, is vulnerable to > a buffer overflow. Because the provided 'name' argument isn't > guaranteed to be NULL terminated at the expected 32 bytes, it's possible > to overflow past the end of the last element in the mixer_vols array. > Further exploitation can result in an arbitrary kernel write (via > subsequent calls to load_mixer_volumes()) leading to privilege > escalation, or arbitrary kernel reads via get_mixer_levels(). In > addition, the strcmp() may leak bytes beyond the mixer_vols array." > Please use CVE-2010-4527 for this one. -- Huzaifa Sidhpurwala / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ