Date: Wed, 3 Feb 2010 13:15:36 -0500 (EST) From: Josh Bressers <bressers@...hat.com> To: oss-security@...ts.openwall.com Cc: coley <coley@...re.org> Subject: Re: CVE request: kernel OOM/crash in drivers/connector Please use CVE-2010-0410 for this. Thanks. -- JB ----- "Marcus Meissner" <meissner@...e.de> wrote: > Hi, > > Sebastian Krahmer found a problem in the drivers/connector/connector.c > code > where users could send/allocate arbitrary amounts of > NETLINK_CONNECTOR > messages to the kernel, causing OOM condition, killing selected > processes > or halting the system. > > This is fixed in mainline commit > f98bfbd78c37c5946cc53089da32a5f741efdeb7 > by removing the code. > > commit f98bfbd78c37c5946cc53089da32a5f741efdeb7 > Author: Evgeniy Polyakov <zbr@...emap.net> > Date: Tue Feb 2 15:58:48 2010 -0800 > > connector: Delete buggy notification code. > > On Tue, Feb 02, 2010 at 02:57:14PM -0800, Greg KH (gregkh@...e.de) > wrote: > > > There are at least two ways to fix it: using a big cannon and > a small > > > one. The former way is to disable notification registration, > since it is > > > not used by anyone at all. Second way is to check whether > calling > > > process is root and its destination group is -1 (kind of > priveledged > > > one) before command is dispatched to workqueue. > > > > Well if no one is using it, removing it makes the most sense, > right? > > > > No objection from me, care to make up a patch either way for > this? > > Getting it is not used, let's drop support for notifications > about > (un)registered events from connector. > Another option was to check credentials on receiving, but we can > always > restore it without bugs if needed, but genetlink has a wider code > base > and none complained, that userspace can not get notification when > some > other clients were (un)registered. > > Kudos for Sebastian Krahmer <krahmer@...e.de>, who found a bug in > the > code. > > Signed-off-by: Evgeniy Polyakov <zbr@...emap.net> > Acked-by: Greg Kroah-Hartman <gregkh@...e.de> > Signed-off-by: David S. Miller <davem@...emloft.net>
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ