Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <599679687.290447.1304362741031.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com>
Date: Mon, 2 May 2011 14:59:01 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: coley <coley@...re.org>
Subject: Re: CVE request: kernel (ARM): heap corruption in
 OABI semtimedop



----- Original Message -----
> The OABI wrapper for semtimedop does not bound the nsops argument. A
> sufficiently large value will cause an integer overflow in allocation
> size, followed by copying too much data into the allocated buffer.
> This only affects ARM systems with CONFIG_OABI_COMPAT set.
> 
> This is exploitable for local privilege escalation, but successful
> exploitation requires winning a race. Because user-to-kernel copy
> functions on ARM zero the destination buffer even on failure to access
> the provided user pointer, the copy loop in the vulnerable function
> that causes the overflow will zero out large amounts of kernel heap if
> not interrupted, crashing the system. This should be possible to work
> around though.
> 
> -Dan
> 
> [1] http://marc.info/?l=linux-kernel&m=130408851326428&w=2

Please use CVE-2011-1759.

Thanks.

-- 
    JB

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.