Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 8 Jul 2010 20:05:01 -0400 (EDT)
From: Josh Bressers <>
Cc: "Steven M. Christey" <>
Subject: Re: CVE request - kernel: nfsd4: bug in read_buf

Please use CVE-2010-2521



----- "Eugene Teo" <> wrote:

> Upstream commit:
> Introduced in commit 89fc0a31 ( v2.5.49) and 099e99f0 (v2.6.0-test3).
> Fixed in v2.6.34-rc6.
> "When read_buf is called to move over to the next page in the pagelist
> of an NFSv4 request, it sets argp->end to essentially a random number,
> certainly not an address within the page which argp->p now points to.
> So subsequent calls to READ_BUF will think there is much more than a 
> page of spare space (the cast to u32 ensures an unsigned comparison)
> so 
> we can expect to fall off the end of the second page."
> There's a possibility of triggering this with a specially crafted NFS
> WRITE request (if accepted by the server).
> Thanks, Eugene
> -- 
> main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i);
> }

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.