oss-security September 2010 archive
Main Archive Page > Month Archives  > oss-security archives
oss-security: Re: [oss-security] CVE request - kernel: pktcdvd i

Re: [oss-security] CVE request - kernel: pktcdvd ioctl dev_minor missing range check

From: Josh Bressers <bressers_at_nospam>
Date: Tue Sep 28 2010 - 19:42:35 GMT
To: oss-security@lists.openwall.com

Please use CVE-2010-3437

Thanks.

-- JB ----- "Eugene Teo" <eugeneteo@kernel.sg> wrote: > As Dan Rosenberg explained in the patch commit: The > PKT_CTRL_CMD_STATUS > device ioctl retrieves a pointer to a pktcdvd_device from the global > pkt_devs array. The index into this array is provided directly by the > > user and is a signed integer, so the comparison to ensure that it > falls > within the bounds of this array will fail when provided with a > negative > index. > > This can be used to read arbitrary kernel memory or cause a crash due > to > an invalid pointer dereference. This can be exploited by users with > permission to open /dev/pktcdvd/control (on many distributions, this > is > readable by group "cdrom"). > > https://bugzilla.redhat.com/show_bug.cgi?id=638085 > http://git.kernel.org/linus/252a52aa4fa22a668f019e55b3aac3ff71ec1c29 > > This was introduced in 2f8e2dc8 (v2.6.10-rc1). > > Thanks, Eugene > -- > main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); > }