oss-sec mailing list archives
Re: CVE request: kernel: heap overflow in TIPC
From: Josh Bressers <bressers () redhat com>
Date: Fri, 22 Oct 2010 10:38:52 -0400 (EDT)
Please use CVE-2010-3859 Thanks. -- JB ----- "Dan Rosenberg" <dan.j.rosenberg () gmail com> wrote:
The tipc_msg_build() function in net/tipc/msg.c contains an exploitable kernel heap overflow that would allow a local user to escalate privileges to root by issuing maliciously crafted sendmsg() calls via TIPC sockets. Fortunately, none of the distributions I tested actually define a module alias for TIPC even though it is compiled as a module on nearly all of them (I suspect this is a lucky accident). Since in these situations, the TIPC module will not be loaded automatically on creation of a TIPC socket, an administrator would have had to explicitly load the TIPC kernel module in order for a system to be vulnerable. I checked Ubuntu, Debian, and Fedora, none of which define an alias. Any distributions that define a module alias for TIPC (i.e. "alias net-pf-30 tipc") should treat this as a serious vulnerability. Even if your distribution does not, I highly recommend backporting the fix for this, since it's a bit of defensive programming in the core networking code that handles verifying user-supplied iovecs, which likely resolves other undiscovered (or undisclosed) security issues elsewhere. I'll post a link to the fix when it's finalized and committed. Reference: http://marc.info/?l=linux-netdev&m=128770476511716&w=2 -Dan
Current thread:
- CVE request: kernel: heap overflow in TIPC Dan Rosenberg (Oct 22)
- Re: CVE request: kernel: heap overflow in TIPC Josh Bressers (Oct 22)