Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 04 Sep 2008 13:43:11 +0800
From: Eugene Teo <eteo@...hat.com>
To: oss-security@...ts.openwall.com
CC: coley@...re.org
Subject: CVE request: kernel: sunrpc: fix possible overrun on read of /proc/sys/sunrpc/transports

Interesting bug.

This was committed in upstream kernel recently to address a regression
introduced in commit dc9a16e49dbba3dd042e6aec5d9a7929e099a89b.

Summary:
proc_do_xprt() does not check for user-side buffer size. The stack can
be overwritten by reading /proc/sys/sunrpc/transports even when the
length given to read() is a small value, i.e. < 38 bytes.

Upstream commit:
27df6f25ff218072e0e879a96beeb398a79cdbc8

References/Reproducer:
http://lkml.org/lkml/2008/8/30/140
http://lkml.org/lkml/2008/8/30/184

It probably needs a CVE name. Agree?

Thanks, Eugene
-- 
Eugene Teo / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ