Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 27 Oct 2016 02:41:19 -0400 (EDT)
From: cve-assign@...re.org
To: vlad@...rklevich.net
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: kernel: low-severity vfio driver integer overflow - Linux kernel

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> The vfio driver allows direct user access to devices. The
> VFIO_DEVICE_SET_IRQS ioctl for vfio PCI devices has a state machine
> confusion bug where specifying VFIO_IRQ_SET_DATA_NONE along with
> another bit in VFIO_IRQ_SET_DATA_TYPE_MASK in hdr.flags allows integer
> overflow checks to be skipped for hdr.start/hdr.count. This might
> allow memory corruption later in vfio_pci_set_msi_trigger() with user
> access to an appropriate vfio device file, but it seems difficult to
> usefully exploit in practice.
> 
> https://patchwork.kernel.org/patch/9373631/

Use CVE-2016-9083 for the "state machine confusion bug."

Use CVE-2016-9084 for the separate problem fixed by "kzalloc is
changed to a kcalloc."

This is not yet available at
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/log/drivers/vfio/pci/vfio_pci.c
and
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/log/drivers/vfio/pci/vfio_pci_intrs.c
but may be there later.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYEaDdAAoJEHb/MwWLVhi2SXoP/A1cw0kppdrB03QUfdZM8ShT
BBnH+GWpricg333jEtfM1ypq5NqN62bG4/SQzvJwqV0HKffodIqzKAqpu0jzvzHA
rlVs+lrv0folE2T4mZNc0lDWr36lwIf2LJx3tdYnl/EaW11FSVIsO/K5/bnXYU0b
Yxarmk5jhG48pcjFo969FvpfDYXBZuleuluTWs/t4MM5R5iY/hpA/+vPBqQPf9Qp
Mb+WwFu4fuXjTxWRTXfaH6l2ZQ4qdjxzwZnHzyj4Xt/B9aXDQx/uibM6gwMlK79d
HSAElifmLxhBClhRj9t5CWjz7qxtD/Ll7UOklM1a6C+DPwvpYnr5iaz0iQDh4IA9
ZFWh+EffrFufmrvQ1/3YBLwCUd74thDisbeqZSaIOH9+itdV5rwiuiAz7PusNzcc
VLTh3kP34kahzIyvpNt342opeA/1dCvv1qNWCC1G9MwJbuW6N7PAm1v7bwr22Fz7
sFvQ7FB4aUV+AV835wkPNXqZaoyBfzDvzXoW9aFMzQzjcvdKfNT4VU7N2mHJqfYU
OP5PNuqUg4Wly0Rwych0YpoYTXfvFyy//AvuTIvZRHQErS5ny8gJvjwGg8oVObjr
l+3WOQxAmJST2jvczPLKhiQP3zPDmlMx9MTUuYWR4MJqaEf7nwjJnqTf5chWGPsR
9jneh8oMpkQJm0IRDyc+
=AZ3J
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ