Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 16 Oct 2015 08:56:46 +0200
From: Salva Peiró <>
Cc: Greg KH <>
Subject: Re: CVE Request: Linux Kernel heap corruption on debug_read_tlb

On 10/15/15, Greg KH <> wrote:
> On Thu, Oct 15, 2015 at 10:30:04AM +0200, Salva Peiró wrote:
>> Hello,
>> Is there a CVE for this? If not, could one be assigned, please?
>>      commit e203db293863fa15b4b1917d4398fb5bd63c4e88
>>      iommu/omap: Fix debug_read_tlb() to use seq_printf()
>>      The debug_read_tlb() uses the sprintf() functions directly on the
>> buffer
>>      allocated by buf = kmalloc(count), without taking into account the
>> size
>>      of the buffer, with the consequence corrupting the heap, depending
>> on
>>      the count requested by the user.
>>      The patch fixes the issue replacing sprintf() by seq_printf().
> For a root-only-readable file?  Why is a CVE needed?
> thanks,
> greg k-h

When the root user reads from /sys/kernel/debug/omap_iommu/mmu*/tlb
this leads to a corruption of the SLUB allocator control structures.
Later use of the SLUB cache causes a kernel panic, and the machine stops

As triggering the bug, causes the machine to stop responding,
the issue impacts the availability of the whole machine and its services,
that's why I consider requesting a CVE.


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ