oss-sec mailing list archives
Re: CVE request: kernel: heap corruption in IrDA
From: Dan Rosenberg <dan.j.rosenberg () gmail com>
Date: Mon, 21 Mar 2011 19:18:58 -0400
On Mon, Mar 21, 2011 at 12:59 AM, Eugene Teo <eugene () redhat com> wrote:
On 03/21/2011 03:26 AM, Dan Rosenberg wrote:When providing an invalid IrDA nickname for an IrNET peer, a local attacker can cause a kernel panic due to an underflow in a memcpy() size calculation or cause a controllable heap overflow that may lead to privilege escalation. Write access to the /dev/irnet device file is required to trigger the vulnerability. Reference: http://marc.info/?l=linux-netdev&m=130060169116047&w=2The default permissions for /dev/irnet is root-read/write only. In the past I have ignored such issues that can only be triggered by root, even though the permissions can be changed. I wouldn't assign a CVE name for this. CC'ed Steve.
Fair enough, I should probably have been more clear about the exact impact of the flaw. But given recent discussions about hardening the kernel even against the root user, it seems like reliably triggered kernel memory corruption of any kind enables crossing some security boundary, so this may still deserve a CVE - just one with a description that accurately reflects the relatively less common attack scenario. -Dan
Thanks, Eugene -- main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }
Current thread:
- CVE request: kernel: heap corruption in IrDA Dan Rosenberg (Mar 20)
- Re: CVE request: kernel: heap corruption in IrDA Eugene Teo (Mar 20)
- Re: CVE request: kernel: heap corruption in IrDA Dan Rosenberg (Mar 21)
- Re: CVE request: kernel: heap corruption in IrDA Eugene Teo (Mar 22)
- Re: CVE request: kernel: heap corruption in IrDA Dan Rosenberg (Mar 21)
- Re: CVE request: kernel: heap corruption in IrDA Eugene Teo (Mar 20)