|
Message-ID: <4C34176C.4060402@kernel.sg> Date: Wed, 07 Jul 2010 13:58:04 +0800 From: Eugene Teo <eugeneteo@...nel.sg> To: oss-security@...ts.openwall.com CC: "Steven M. Christey" <coley@...us.mitre.org> Subject: CVE request - kernel: nfsd4: bug in read_buf https://bugzilla.redhat.com/show_bug.cgi?id=612028 Upstream commit: http://git.kernel.org/linus/2bc3c117 Introduced in commit 89fc0a31 ( v2.5.49) and 099e99f0 (v2.6.0-test3). Fixed in v2.6.34-rc6. "When read_buf is called to move over to the next page in the pagelist of an NFSv4 request, it sets argp->end to essentially a random number, certainly not an address within the page which argp->p now points to. So subsequent calls to READ_BUF will think there is much more than a page of spare space (the cast to u32 ensures an unsigned comparison) so we can expect to fall off the end of the second page." There's a possibility of triggering this with a specially crafted NFS WRITE request (if accepted by the server). Thanks, Eugene -- main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.