Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux (RPM package) Pro for Mac OS X (dmg package) Wordlists   for password cracking passwdqc   policy enforcement phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login Services Publications Articles Presentations Community Mailing lists Community wiki Donations Resources Source code repository (CVSweb) File archive & mirrors How to verify digital signatures Password recovery resources Recommended books What's new

Date: Tue, 28 Sep 2010 15:44:30 +0800
From: Eugene Teo <eugeneteo@...nel.sg>
To: oss-security@...ts.openwall.com
CC: "Steven M. Christey" <coley@...us.mitre.org>
Subject: CVE request - kernel: pktcdvd ioctl dev_minor missing range check

As Dan Rosenberg explained in the patch commit: The PKT_CTRL_CMD_STATUS 
device ioctl retrieves a pointer to a pktcdvd_device from the global 
pkt_devs array.  The index into this array is provided directly by the 
user and is a signed integer, so the comparison to ensure that it falls 
within the bounds of this array will fail when provided with a negative 
index.

This can be used to read arbitrary kernel memory or cause a crash due to 
an invalid pointer dereference.  This can be exploited by users with 
permission to open /dev/pktcdvd/control (on many distributions, this is 
readable by group "cdrom").

https://bugzilla.redhat.com/show_bug.cgi?id=638085
http://git.kernel.org/linus/252a52aa4fa22a668f019e55b3aac3ff71ec1c29

This was introduced in 2f8e2dc8 (v2.6.10-rc1).

Thanks, Eugene
-- 
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ