Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4CA19CDE.6050706@kernel.sg>
Date: Tue, 28 Sep 2010 15:44:30 +0800
From: Eugene Teo <eugeneteo@...nel.sg>
To: oss-security@...ts.openwall.com
CC: "Steven M. Christey" <coley@...us.mitre.org>
Subject: CVE request - kernel: pktcdvd ioctl dev_minor missing range check

As Dan Rosenberg explained in the patch commit: The PKT_CTRL_CMD_STATUS 
device ioctl retrieves a pointer to a pktcdvd_device from the global 
pkt_devs array.  The index into this array is provided directly by the 
user and is a signed integer, so the comparison to ensure that it falls 
within the bounds of this array will fail when provided with a negative 
index.

This can be used to read arbitrary kernel memory or cause a crash due to 
an invalid pointer dereference.  This can be exploited by users with 
permission to open /dev/pktcdvd/control (on many distributions, this is 
readable by group "cdrom").

https://bugzilla.redhat.com/show_bug.cgi?id=638085
http://git.kernel.org/linus/252a52aa4fa22a668f019e55b3aac3ff71ec1c29

This was introduced in 2f8e2dc8 (v2.6.10-rc1).

Thanks, Eugene
-- 
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.