Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHmME9opocVgo-EpALxnAYc4HoRWo1TVE12Tbn3QarYyYu+2qg@mail.gmail.com>
Date: Sun, 31 May 2015 01:30:05 +0200
From: "Jason A. Donenfeld" <Jason@...c4.com>
To: oss-security <oss-security@...ts.openwall.com>
Cc: cve-assign@...re.org
Subject: Re: CVE Request: Linux Kernel Ozwpan Driver - Remote packet-of-death vulnerabilities

Hi folks,

Just providing an update on this. Several fixes for these issues have
been merged.

On Wed, May 27, 2015 at 4:45 PM, Jason A. Donenfeld
> 1. A remote packet can be sent, resulting in funny subtractions of
> signed integers, which causes a memcpy(kernel_heap,
> network_user_buffer, -network_user_provided_length).
>
> There are two different conditions that can lead to this:
> https://lkml.org/lkml/2015/5/13/740
> https://lkml.org/lkml/2015/5/13/744
> You may want to give two CVEs or just one CVE for these two issues.

https://git.kernel.org/cgit/linux/kernel/git/gregkh/staging.git/commit/?id=d114b9fe78c8d6fc6e70808c2092aa307c36dc8e
https://git.kernel.org/cgit/linux/kernel/git/gregkh/staging.git/commit/?id=b1bb5b49373b61bf9d2c73a4d30058ba6f069e4c

Please assign a CVE.


>
> 2. A remote packet can be sent, resulting in divide-by-zero in
> softirq, causing hard crash:
> https://lkml.org/lkml/2015/5/13/741

https://git.kernel.org/cgit/linux/kernel/git/gregkh/staging.git/commit/?&id=04bf464a5dfd9ade0dda918e44366c2c61fce80b

Please assign a CVE.

>
> 3. A remote packet can be sent, resulting in a funny subtraction,
> causing an insanely big loop to lock up the kernel:
> https://lkml.org/lkml/2015/5/13/742

https://git.kernel.org/cgit/linux/kernel/git/gregkh/staging.git/commit/?id=9a59029bc218b48eff8b5d4dde5662fd79d3e1a8

Please assign a CVE.


>
> 4. Multiple out-of-bounds reads, resulting in possible information
> leakage, explained in the last paragraph of the introductory email
> here:
> https://lkml.org/lkml/2015/5/13/739

The maintainer has not yet written a patch to fix this issue, so it
remains an open case.

Please assign a CVE.



I'd appreciate getting these CVEs assigned sooner rather than later.

Thanks,
Jason

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.