oss-sec mailing list archives

CVE request: kernel: sunrpc: fix possible overrun on read of /proc/sys/sunrpc/transports

From: Eugene Teo <eteo () redhat com>
Date: Thu, 04 Sep 2008 13:43:11 +0800

Interesting bug.

This was committed in upstream kernel recently to address a regression
introduced in commit dc9a16e49dbba3dd042e6aec5d9a7929e099a89b.

Summary:
proc_do_xprt() does not check for user-side buffer size. The stack can
be overwritten by reading /proc/sys/sunrpc/transports even when the
length given to read() is a small value, i.e. < 38 bytes.

Upstream commit:
27df6f25ff218072e0e879a96beeb398a79cdbc8

References/Reproducer:
http://lkml.org/lkml/2008/8/30/140
http://lkml.org/lkml/2008/8/30/184

It probably needs a CVE name. Agree?

Thanks, Eugene
-- 
Eugene Teo / Red Hat Security Response Team

Current thread:

CVE request: kernel: sunrpc: fix possible overrun on read of /proc/sys/sunrpc/transports Eugene Teo (Sep 03)
- Re: CVE request: kernel: sunrpc: fix possible overrun on read of /proc/sys/sunrpc/transports Steven M. Christey (Sep 04)