Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux (RPM package) Pro for Mac OS X (dmg package) Wordlists   for password cracking passwdqc   policy enforcement phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login Linux kernel security hardening Services Publications Articles Presentations Community Mailing lists Community wiki Donations Resources Source code repository (CVSweb) File archive & mirrors How to verify digital signatures Password recovery resources Recommended books What's new

Date: Fri, 23 Oct 2009 17:12:23 +0800
From: Eugene Teo <eugeneteo@...nel.sg>
To: oss-security@...ts.openwall.com
CC: "Steven M. Christey" <coley@...us.mitre.org>
Subject: CVE request: kvm: integer overflow in kvm_dev_ioctl_get_supported_cpuid()

Quote from the upstream commit:
"The number of entries is multiplied by the entry size, which can 
overflow on 32-bit hosts.  Bound the entry count instead."

   if (cpuid->nent < 1)
    goto out;
+ if (cpuid->nent > KVM_MAX_CPUID_ENTRIES)
+  cpuid->nent = KVM_MAX_CPUID_ENTRIES;
   r = -ENOMEM;
   cpuid_entries = vmalloc(sizeof(struct kvm_cpuid_entry2) * cpuid->nent);
   if (!cpuid_entries)

This one can be triggered if /dev/kvm is user accessible (which is
recommended...). This was introduced in v2.6.25-rc1, and fixed in 
v2.6.32-rc4. Only on 32-bit host.

References:
http://git.kernel.org/linus/0771671749b59a507b6da4efb931c44d9691e248
http://git.kernel.org/linus/6a54435560efdab1a08f429a954df4d6c740bddf
https://bugzilla.redhat.com/show_bug.cgi?id=530515

Thanks, Eugene

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ