Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4C34176C.4060402@kernel.sg>
Date: Wed, 07 Jul 2010 13:58:04 +0800
From: Eugene Teo <eugeneteo@...nel.sg>
To: oss-security@...ts.openwall.com
CC: "Steven M. Christey" <coley@...us.mitre.org>
Subject: CVE request - kernel: nfsd4: bug in read_buf

https://bugzilla.redhat.com/show_bug.cgi?id=612028
Upstream commit: http://git.kernel.org/linus/2bc3c117

Introduced in commit 89fc0a31 ( v2.5.49) and 099e99f0 (v2.6.0-test3). 
Fixed in v2.6.34-rc6.

"When read_buf is called to move over to the next page in the pagelist 
of an NFSv4 request, it sets argp->end to essentially a random number, 
certainly not an address within the page which argp->p now points to. 
So subsequent calls to READ_BUF will think there is much more than a 
page of spare space (the cast to u32 ensures an unsigned comparison) so 
we can expect to fall off the end of the second page."

There's a possibility of triggering this with a specially crafted NFS 
WRITE request (if accepted by the server).

Thanks, Eugene
-- 
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.