oss-sec mailing list archives
Re: CVE-2009-2698 kernel: udp socket NULL ptr dereference
From: Eugene Teo <eugeneteo () kernel sg>
Date: Sun, 30 Aug 2009 19:15:34 +0800
Eugene Teo wrote:
A flaw was found in the udp_sendmsg() implementation in the Linux kernel when using the MSG_MORE flag on UDP sockets. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. This was fixed by Herbert Xu in v2.6.19-rc1, and reported by Tavis Ormandy and Julien Tinnes of the Google Security Team.Upstream commits: http://git.kernel.org/linus/1e0c14f49d6b393179f423abbac47f85618d3d46 References: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2698 https://rhn.redhat.com/errata/RHSA-2009-1222.html https://rhn.redhat.com/errata/RHSA-2009-1223.html
Related to this:Add a check in ip_append_data() for NULL *rtp to prevent future bugs in callers from being exploitable.
http://git.kernel.org/linus/788d908f2879a17e5f80924f3da2e23f1034482d Thanks, Eugene
Current thread:
- CVE-2009-2698 kernel: udp socket NULL ptr dereference Eugene Teo (Aug 24)
- Re: CVE-2009-2698 kernel: udp socket NULL ptr dereference Eugene Teo (Aug 30)