Date: Fri, 16 Oct 2015 08:56:46 +0200 From: Salva Peiró <speiro@....upv.es> To: oss-security@...ts.openwall.com Cc: Greg KH <greg@...ah.com> Subject: Re: CVE Request: Linux Kernel heap corruption on debug_read_tlb On 10/15/15, Greg KH <greg@...ah.com> wrote: > On Thu, Oct 15, 2015 at 10:30:04AM +0200, Salva Peiró wrote: >> Hello, >> >> Is there a CVE for this? If not, could one be assigned, please? >> >> https://patchwork.kernel.org/patch/6853351/ >> commit e203db293863fa15b4b1917d4398fb5bd63c4e88 >> iommu/omap: Fix debug_read_tlb() to use seq_printf() >> >> The debug_read_tlb() uses the sprintf() functions directly on the >> buffer >> allocated by buf = kmalloc(count), without taking into account the >> size >> of the buffer, with the consequence corrupting the heap, depending >> on >> the count requested by the user. >> >> The patch fixes the issue replacing sprintf() by seq_printf(). > > For a root-only-readable file? Why is a CVE needed? > > thanks, > > greg k-h > When the root user reads from /sys/kernel/debug/omap_iommu/mmu*/tlb this leads to a corruption of the SLUB allocator control structures. Later use of the SLUB cache causes a kernel panic, and the machine stops responding. As triggering the bug, causes the machine to stop responding, the issue impacts the availability of the whole machine and its services, that's why I consider requesting a CVE. -- salva
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ