Date: Fri, 23 Oct 2009 17:12:23 +0800 From: Eugene Teo <eugeneteo@...nel.sg> To: oss-security@...ts.openwall.com CC: "Steven M. Christey" <coley@...us.mitre.org> Subject: CVE request: kvm: integer overflow in kvm_dev_ioctl_get_supported_cpuid() Quote from the upstream commit: "The number of entries is multiplied by the entry size, which can overflow on 32-bit hosts. Bound the entry count instead." if (cpuid->nent < 1) goto out; + if (cpuid->nent > KVM_MAX_CPUID_ENTRIES) + cpuid->nent = KVM_MAX_CPUID_ENTRIES; r = -ENOMEM; cpuid_entries = vmalloc(sizeof(struct kvm_cpuid_entry2) * cpuid->nent); if (!cpuid_entries) This one can be triggered if /dev/kvm is user accessible (which is recommended...). This was introduced in v2.6.25-rc1, and fixed in v2.6.32-rc4. Only on 32-bit host. References: http://git.kernel.org/linus/0771671749b59a507b6da4efb931c44d9691e248 http://git.kernel.org/linus/6a54435560efdab1a08f429a954df4d6c740bddf https://bugzilla.redhat.com/show_bug.cgi?id=530515 Thanks, Eugene
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.