Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 26 Feb 2013 13:32:28 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request -- Linux kernel: call_console_drivers()
 Function Log Prefix Stripping buffer overflow

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/26/2013 04:39 AM, Petr Matousek wrote:
> A buffer overflow flaw was found in kernels from 3.0 to 3.4 when
> calling log_prefix() function from call_console_drivers().
> 
> This bug existed in previous releases but has been revealed with
> commit 162a7e7500f9664636e649ba59defe541b7c2c60 (2.6.39 => 3.0)
> that made changes about how to allocate memory for early printk
> buffer (use of memblock_alloc). It disappears with commit 
> 7ff9554bb578ba02166071d2d487b7fc7d860d62 (3.4 => 3.5) that does a 
> refactoring of printk buffer management.
> 
> In log_prefix(), the access to "p[0]", "p[1]", "p[2]" or 
> "simple_strtoul(&p[1], &endp, 10)" may cause a buffer overflow as
> this function is called from call_console_drivers by passing 
> "&LOG_BUF(cur_index)" where the index must be masked to do not
> exceed the buffer's boundary.
> 
> Note: /dev/kmsg is root writable only (at least on RHEL/Fedora),
> but it still might cause issues in restricted root environments.
> 
> References: https://bugs.gentoo.org/458780 
> https://secunia.com/advisories/52366/
> 
> Thanks,

Please use CVE-2013-1772 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRLRvbAAoJEBYNRVNeJnmTDCEQANEgFCyRak8EKxS2KUItFiKT
4k9/higKDji8ng7xLQS+0kgp4OwuSnS7xSmI+IkPCWwH0bSj4GXnVJmOMf9kRNhk
eQr+VGtPZzIgAoqsVfKwU6fXR0xsG5pmzPwMwcTp4kuMG1IhjKTtRN4iYLp7hrmy
sjORjoRNfHvCpC0k4Sc9IpFRHAZ/SxH5EX0kJmdDQuICbMDt61fbVneI1JhyHNFc
V+3ZLBWFpHPyHNJewEfE3+/c5jY+X2J63g9UUxKp5bcSW0l/Sl+SkNuI8eeRdPMK
lUNnOLx9I0SzSuvILd14LHmi6kMpATFa+mjhWIqbzjAlv/QfiTChZI5uTFAEQkgC
VgPUk7TvS7Zt4ej9q4H9lqjVXycxUzaCfuio8062bC3s/G2VUrfMmD93wlimFi7s
gpDdNjiYfjymNVAcxe5gcyoIKSVBOFHzxxEsliwh7/08YKDgihnalP3IH8wsODNy
E7pSvsJerfybwiGC8UQvjKIIRh0n2AU0pWejcfnSWpgy458TLx3+ONtLNZ+mil+c
E0WPdylU8+DsE+cwO4Rg6t4FEWv1JX/AOYLbP0j+Cq4HEhJNeao7xpMJpbHNCLCi
Vbb9QDzIPXK52qGr8rQ22iWbGYQvNQp/awKL7tWyGfYtvRM1Whr/dRcnpUj0hAV8
HvPyfMvPvcQhbbUNwuX0
=i24c
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ