oss-sec mailing list archives
More kernel CVE info (CVE-2009-2909)
From: Josh Bressers <bressers () redhat com>
Date: Wed, 7 Oct 2009 14:46:10 -0400 (EDT)
As MITRE is already busy, I'm giving a kernel flaw another CVE id. My analysis
is below.
The 2.6.31.2 changelog contains these two snippets:
net ax25: Fix signed comparison in the sockopt handler
net: Make the copy length in af_packet sockopt handler unsigned
The ax25 flaw looks real, the af_packet one is probably just a bug.
I'm assigning CVE-2009-2909 to the ax25 flaw.
Here is my analysis, if someone sees an issue with it, please feel free to speak
up.
ax25 (CVE-2009-2909)
http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commit;h=b7058842c940ad2c08dd829b21e5c92ebe3b8758
http://article.gmane.org/gmane.linux.kernel/896907
In the file af_ax25.c there is this bit:
case SO_BINDTODEVICE:
if (optlen > IFNAMSIZ) optlen=IFNAMSIZ;
if (copy_from_user(devname, optval, optlen))
return -EFAULT;
If a user can make the value of optlen wrap to a negative number, the
check should pass, but the call to copy_from_user has this check in it:
BUG_ON((long) n < 0);
Where n is optlen. I'm told this will OOPS the kernel. That means that
this flaw should only be a DoS.
af_packet (No CVE id, just a bug)
http://article.gmane.org/gmane.linux.kernel/896917
I don't think the missed check in af_packet.c is an issue. The check
if (len < 0)
return -EINVAL;
Will never fail, but just beneath that bit in the code, you have
if (len > sizeof(struct tpacket_stats))
len = sizeof(struct tpacket_stats);
and
if (len > sizeof(int))
len = sizeof(int);
As our error condition would need len to be a negative number, but the
sizeof check will cast it as unsigned, these checks would effectively
fail, resetting len to something sane. Even then, all that happens
with len, is a copy_to_user, which wouldn't hurt the kernel, but could
crash the app (which we likely don't care about in this instance).
Thanks.
--
JB
Current thread:
- More kernel CVE info (CVE-2009-2909) Josh Bressers (Oct 07)