oss-security - Re: CVE request: kernel: r128 IOCTL NULL pointer dereferences when CCE state is uninitialised

Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Date: Mon, 19 Oct 2009 15:26:16 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE request: kernel: r128 IOCTL NULL pointer
 dereferences when CCE state is uninitialised

Please use CVE-2009-3620

Thanks.

-- 
    JB

----- "Eugene Teo" <eugeneteo@...nel.sg> wrote:

> Quoting from the upstream commit:
> "Almost all r128's private ioctls require that the CCE state has
> already 
> been initialised.  However, most do not test that this has been done,
> 
> and will proceed to dereference a null pointer.  This may result in a
> 
> security vulnerability, since some ioctls are unprivileged.
> 
> This adds a macro for the common initialisation test and changes all 
> ioctl implementations that require prior initialisation to use that
> macro.
> 
> Also, r128_do_init_cce() does not test that the CCE state has not
> been
> initialised already.  Repeated initialisation may lead to a crash or 
> resource leak.  This adds that test."
> 
> http://git.kernel.org/linus/7dc482dfeeeefcfd000d4271c4626937406756d7
> 
> Other references:
> http://secunia.com/advisories/36707/
> https://bugzilla.redhat.com/show_bug.cgi?id=529597
> 
> Thanks, Eugene

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.