Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 18 Nov 2013 15:46:49 +0100
From: Petr Matousek <pmatouse@...hat.com>
To: oss-security@...ts.openwall.com
Cc: Kurt Seifried <kseifrie@...hat.com>
Subject: CVE-2013-4591 -- Linux kernel: kernel: nfs: missing check for buffer
 length in __nfs4_get_acl_uncached

Commit 1f1ea6c ccidently dropped the checking for too small result
buffer length.
   
If someone uses getxattr on "system.nfs4_acl" on an NFSv4 mount
supporting ACLs, the ACL has not been cached and the buffer suplied is
too short, we still copy the complete ACL, resulting in kernel and user
space memory corruption.

Introduced by:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=1f1ea6c2d9d8c0be9ec56454b05315273b5de8ce

Upstream commit:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7d3e91a89b7adbc2831334def9e494dd9892f9af

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1031678

-- 
Petr Matousek / Red Hat Security Response Team
PGP: 0xC44977CA 8107 AF16 A416 F9AF 18F3  D874 3E78 6F42 C449 77CA

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ