oss-security - CVE requests: Remote packet-of-death vulnerabilities in Linux Kernel ozwpan driver

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <CAHmME9rAevBkp4cE=zRML0PZrDP98SZFAVBXjGVhk0Q-bcBEcg@mail.gmail.com>
Date: Wed, 13 May 2015 21:44:04 +0200
From: "Jason A. Donenfeld" <Jason@...c4.com>
To: oss-security <oss-security@...ts.openwall.com>
Subject: CVE requests: Remote packet-of-death vulnerabilities in Linux Kernel
 ozwpan driver

Hi folks,

A variety of issues have been found in Linux's ozwpan driver.

1. A remote packet can be sent, resulting in funny subtractions of
signed integers, which causes a memcpy(kernel_heap,
network_user_buffer, -network_user_provided_length).

There are two different conditions that can lead to this:
https://lkml.org/lkml/2015/5/13/740
https://lkml.org/lkml/2015/5/13/744
You may want to give two CVEs or just one CVE for these two issues.

2. A remote packet can be sent, resulting in divide-by-zero in
softirq, causing hard crash:
https://lkml.org/lkml/2015/5/13/741

3. A remote packet can be sent, resulting in a funny subtraction,
causing an insanely big loop to lock up the kernel:
https://lkml.org/lkml/2015/5/13/742

4. Multiple out-of-bounds reads, resulting in possible information
leakage, explained in the last paragraph of the introductory email
here:
https://lkml.org/lkml/2015/5/13/739

Please assign CVEs so that these can be properly tracked.

Regards,
Jason

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.