Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <AANLkTik=KVOQQm5WMgY0PROt9hFBGr9V_1h1a9Csmw2-@mail.gmail.com>
Date: Tue, 21 Sep 2010 00:25:33 -0400
From: Dan Rosenberg <dan.j.rosenberg@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE request: kernel: Heap corruption in ROSE

When binding a ROSE socket, the "srose_ndigis" field of the
user-provided sockaddr_rose struct is intended to be restricted to
less than ROSE_MAX_DIGIS.  However, since this field is a signed
integer, this check will pass when provided with a negative value,
allowing the "source_ndigis" field of the rose_sock struct (which is
an unsigned char) to be set to arbitrary values.  Then, by calling a
function such as rose_getname(), heap corruption results, since this
field is used as a maximum index to read from and write into an array
of ROSE_MAX_DIGIS size.  This can only be triggered by unprivileged
users when a ROSE device (e.g. rose0) exists.

Reference (and fix):
http://marc.info/?l=linux-netdev&m=128502238927086&w=2

-Dan

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.