Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 27 Oct 2016 02:41:19 -0400 (EDT)
From: cve-assign@...re.org
To: vlad@...rklevich.net
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: kernel: low-severity vfio driver integer overflow - Linux kernel

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> The vfio driver allows direct user access to devices. The
> VFIO_DEVICE_SET_IRQS ioctl for vfio PCI devices has a state machine
> confusion bug where specifying VFIO_IRQ_SET_DATA_NONE along with
> another bit in VFIO_IRQ_SET_DATA_TYPE_MASK in hdr.flags allows integer
> overflow checks to be skipped for hdr.start/hdr.count. This might
> allow memory corruption later in vfio_pci_set_msi_trigger() with user
> access to an appropriate vfio device file, but it seems difficult to
> usefully exploit in practice.
> 
> https://patchwork.kernel.org/patch/9373631/

Use CVE-2016-9083 for the "state machine confusion bug."

Use CVE-2016-9084 for the separate problem fixed by "kzalloc is
changed to a kcalloc."

This is not yet available at
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/log/drivers/vfio/pci/vfio_pci.c
and
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/log/drivers/vfio/pci/vfio_pci_intrs.c
but may be there later.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYEaDdAAoJEHb/MwWLVhi2SXoP/A1cw0kppdrB03QUfdZM8ShT
BBnH+GWpricg333jEtfM1ypq5NqN62bG4/SQzvJwqV0HKffodIqzKAqpu0jzvzHA
rlVs+lrv0folE2T4mZNc0lDWr36lwIf2LJx3tdYnl/EaW11FSVIsO/K5/bnXYU0b
Yxarmk5jhG48pcjFo969FvpfDYXBZuleuluTWs/t4MM5R5iY/hpA/+vPBqQPf9Qp
Mb+WwFu4fuXjTxWRTXfaH6l2ZQ4qdjxzwZnHzyj4Xt/B9aXDQx/uibM6gwMlK79d
HSAElifmLxhBClhRj9t5CWjz7qxtD/Ll7UOklM1a6C+DPwvpYnr5iaz0iQDh4IA9
ZFWh+EffrFufmrvQ1/3YBLwCUd74thDisbeqZSaIOH9+itdV5rwiuiAz7PusNzcc
VLTh3kP34kahzIyvpNt342opeA/1dCvv1qNWCC1G9MwJbuW6N7PAm1v7bwr22Fz7
sFvQ7FB4aUV+AV835wkPNXqZaoyBfzDvzXoW9aFMzQzjcvdKfNT4VU7N2mHJqfYU
OP5PNuqUg4Wly0Rwych0YpoYTXfvFyy//AvuTIvZRHQErS5ny8gJvjwGg8oVObjr
l+3WOQxAmJST2jvczPLKhiQP3zPDmlMx9MTUuYWR4MJqaEf7nwjJnqTf5chWGPsR
9jneh8oMpkQJm0IRDyc+
=AZ3J
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.