oss-sec mailing list archives
CVE request: kernel: sunrpc: fix possible overrun on read of /proc/sys/sunrpc/transports
From: Eugene Teo <eteo () redhat com>
Date: Thu, 04 Sep 2008 13:43:11 +0800
Interesting bug. This was committed in upstream kernel recently to address a regression introduced in commit dc9a16e49dbba3dd042e6aec5d9a7929e099a89b. Summary: proc_do_xprt() does not check for user-side buffer size. The stack can be overwritten by reading /proc/sys/sunrpc/transports even when the length given to read() is a small value, i.e. < 38 bytes. Upstream commit: 27df6f25ff218072e0e879a96beeb398a79cdbc8 References/Reproducer: http://lkml.org/lkml/2008/8/30/140 http://lkml.org/lkml/2008/8/30/184 It probably needs a CVE name. Agree? Thanks, Eugene -- Eugene Teo / Red Hat Security Response Team
Current thread:
- CVE request: kernel: sunrpc: fix possible overrun on read of /proc/sys/sunrpc/transports Eugene Teo (Sep 03)
- Re: CVE request: kernel: sunrpc: fix possible overrun on read of /proc/sys/sunrpc/transports Steven M. Christey (Sep 04)