Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 12 Apr 2011 10:59:47 +0800
From: Eugene Teo <eugene@...hat.com>
To: oss-security@...ts.openwall.com
CC: Moritz Muehlenhoff <jmm@...ian.org>
Subject: Re: CVE requests: Three Linux kernel issues

> [1] http://permalink.gmane.org/gmane.linux.kernel/1124411 :
>
> | PATCH] char: briq_panel: fix TOCTOU bug
> |
> | There is a TOCTOU bug in briq_panel_write() code:
> |
> |     if (vfd_cursor>  39)<<<
> |             scroll_vfd();
> |     vfd[vfd_cursor++] = c;<<<
> |
> | It's possible to write to arbitrary memory location in case of more than
> | one process tries to call write() simultaneously.

This shouldn't happen as this is protected using tty_lock to only allow 
single access to it at any one time. So having more than one processes 
writing to it is unlikely. No CVE for this one.

> [2] http://permalink.gmane.org/gmane.linux.kernel/1124410 :
>
> | [PATCH] char: genrtc: fix infoleak to userspace
> |
> | struct pll is copied to userspace.  It is filled in "multiplexing" function
> | get_rtc_pll().  At least one implementator, q40_get_rtc_pll(), doesn't
> | fill .pll_ctrl field.  It's hard to understand whether either the caller
> | or the callee must zero the unused struct fields, however, on another
> | ioctl commands the caller already zeroes the structure.  So, let's the
> | caller use memset().

No CVE for this one too; /dev/rtc is root read/write only.

Thanks.

Eugene
-- 
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.