MoKB days 3 and 4

["Dude VanWinkle" <dudevanwinkle () gmail com>]

As a side note, its nice to see someone picking on someone besides
Microsoft for once :-)

-----------------------------------------Day-3-----------------------------------

http://projects.info-pull.com/mokb/MOKB-03-11-2006.html

FreeBSD 6.1 UFS filesystem ffs_mountfs() integer overflow
Description:    The UFS filesystem handling code of the FreeBSD 6.1
kernel fails to properly handle corrupted data structures, leading to
exploitable memory corruption (DoS) issues and possible arbitrary code
execution. This particular vulnerability is caused by an integer
overflow at ffs_mountfs() function.

When a crafted UFS filesystem is mounted, the amount of kernel memory
being allocated can be influenced directly, controlling the value
passed to kmem_alloc() via ffs_mountfs and the successive calls to
malloc, uma_large_malloc and page_alloc. A large or invalid size
parameter will cause a kernel panic. A low or zero value for the size
parameter may lead to an exploitable heap-based buffer overflow if
user controlled data is being copied from the filesystem stream.

-----------------------------------------Day-4-----------------------------------

http://projects.info-pull.com/mokb/MOKB-04-11-2006.html

Solaris 10 UFS filesystem alloccgblk denial of service
Description:    The UFS filesystem handling code of the Solaris 10
kernel fails to properly handle corrupted data structures, leading to
an exploitable denial of service issue and potential loss of data or
corruption of the local UFS filesystems, due to memory corruption.


------------------------

-JP
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.