Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 24 Feb 2009 10:34:52 +0800
From: Eugene Teo <eugene@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE request: kernel: memory disclosure in SO_BSDCOMPAT
 gsopt

Steven M. Christey wrote:
> ======================================================
> Name: CVE-2009-0676
[...]
> The sock_getsockopt function in net/core/sock.c in the Linux kernel
> before 2.6.28.6 does not initialize a certain structure member, which
> allows local users to obtain potentially sensitive information from
> kernel memory via an SO_BSDCOMPAT getsockopt request.

The fix for CVE-2009-0676 (upstream commit df0bca04) is incomplete. Note 
that the same problem of leaking kernel memory will reappear if someone 
on some architecture uses struct timeval with some internal padding (for 
example tv_sec 64-bit and tv_usec 32-bit) --- then, you are going to 
leak the padded bytes to userspace.

net: amend the fix for SO_BSDCOMPAT gsopt infoleak
http://marc.info/?l=linux-kernel&m=123540732700371&w=2
http://marc.info/?l=linux-netdev&m=123543237010175&w=2

Thanks, Eugene
-- 
Eugene Teo / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ