Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 23 May 2017 18:46:45 +0000
From: Roee Hay <>
Subject: Linux lp.c Out-of-Bounds Write via Kernel Command-line (CVE-2017-1000363)

Due to a missing bounds check in the lp driver, and the fact that
parport_ptr integer is static, a kernel command-line adversary (can happen
due to bootloader vulnerabilities in Secure Boot environments, e.g. Nexus
6's CVE-2016-10277) can overflow the parport_nr array in the following
code, by appending many (>LP_NO) lp=none arguments to the command line.
CONFIG_PRINTER=y is required.

static int parport_nr[LP_NO] = { [0 ... LP_NO-1] = LP_PARPORT_UNSPEC };
static char *parport[LP_NO];
#ifndef MODULE
static int __init lp_setup (char *str)
static int parport_ptr;
} else if (!strncmp(str, "parport", 7)) {
    int n = simple_strtoul(str+7, NULL, 10);
    if (parport_ptr < LP_NO)
        parport_nr[parport_ptr++] = n;
        printk(KERN_INFO "lp: too many ports, %s ignored.\n",
} else if (!strcmp(str, "auto")) {
    parport_nr[0] = LP_PARPORT_AUTO;
} else if (!strcmp(str, "none")) {
    parport_nr[parport_ptr++] = LP_PARPORT_NONE;
__setup("lp=", lp_setup);

Linux 4.x (4.12-rc1 and below)
Linux 3.x
Linux 2.6.x
Linux 2.4.x
Linux 2.2.x


23-May-17: Public disclosure.
22-May-17: Patch available (Linux mainline 4.12-rc2).
17-May-17: CVE-2017-1000363 assigned by Kurt Seifried, Red Hat Product
16-May-17: Patch available (Linux Char/Misc drivers development tree).
16-May-17: Reported.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.