|
Message-ID: <4C983775.8010703@redhat.com> Date: Tue, 21 Sep 2010 12:41:25 +0800 From: Eugene Teo <eugene@...hat.com> To: oss-security@...ts.openwall.com CC: Dan Rosenberg <dan.j.rosenberg@...il.com>, "Steven M. Christey" <coley@...us.mitre.org> Subject: Re: CVE request: kernel: Heap corruption in ROSE On 09/21/2010 12:25 PM, Dan Rosenberg wrote: > When binding a ROSE socket, the "srose_ndigis" field of the > user-provided sockaddr_rose struct is intended to be restricted to > less than ROSE_MAX_DIGIS. However, since this field is a signed > integer, this check will pass when provided with a negative value, > allowing the "source_ndigis" field of the rose_sock struct (which is > an unsigned char) to be set to arbitrary values. Then, by calling a > function such as rose_getname(), heap corruption results, since this > field is used as a maximum index to read from and write into an array > of ROSE_MAX_DIGIS size. This can only be triggered by unprivileged > users when a ROSE device (e.g. rose0) exists. > > Reference (and fix): > http://marc.info/?l=linux-netdev&m=128502238927086&w=2 Please use CVE-2010-3310. Thanks, Eugene -- main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.