oss-sec mailing list archives
Re: CVE request: NetSMB BSD kernel module (minor)
From: Josh Bressers <bressers () redhat com>
Date: Fri, 16 Jul 2010 11:08:14 -0400 (EDT)
Please use CVE-2010-2530 Sorry for the delay. -- JB ----- "Dan Rosenberg" <dan.j.rosenberg () gmail com> wrote:
I discovered and reported a minor security issue in the netsmb kernel module for NetBSD and FreeBSD. The issue also affects Mac OS X 10.x, where netsmb is available as a kernel extension. Several of the subroutines in the netsmb module (see reference below for vulnerable functions), which are reachable by unprivileged local users via device ioctls sent to a /dev/nsmb* device, had signedness errors. By providing a negative value for a size field for certain device ioctls (including SMBIOC_LOOKUP and SMBIOC_OPENSESSION for *BSD), a size check will be bypassed and a memory overallocation will occur, causing a kernel panic. NetBSD committed their fix to CVS today: http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netsmb/smb_subr.c.diff?r1=1.34&r2=1.35&only_with_tag=MAIN&f=h Regards, Dan Rosenberg
Current thread:
- CVE request: NetSMB BSD kernel module (minor) Dan Rosenberg (Jul 12)
- Re: CVE request: NetSMB BSD kernel module (minor) Josh Bressers (Jul 16)