Date: Sun, 07 Feb 2010 22:58:32 +0800 From: Eugene Teo <eugeneteo@...nel.sg> To: oss-security@...ts.openwall.com CC: Marcus Meissner <meissner@...e.de> Subject: Re: CVE request: information leak / potential crash in sys_move_pages On 02/07/2010 09:50 AM, Marcus Meissner wrote: > Hi, > > I spotted a problem in sys_move_pages, where "node" value is read from userspace, > but not limited to the node set within the kernel itself. > > Due to the bit tests in mm/migrate.c:do_move_pages it is easy to read out > the kernel memory (as node can also be negative). > > (The node_isset and node_state functions just map to test_bit, which has > no limiter in the normal implementations.) > > There also is (in my eyes) the chance we can corrupt kernel memory later on > if we have all the right bits setup, but I did not research this further. > > Issue was present starting as sys_move_pages was introduced in 2.6.18. > Solved in mainline by commit below. > > Needs a CVE for information leakage at least. Thanks, please use CVE-2010-0415. Eugene
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ