Re: CVE request: kernel: heap corruption in IrDA

[Eugene Teo <eugene () redhat com>]

On 03/22/2011 07:18 AM, Dan Rosenberg wrote:
> On Mon, Mar 21, 2011 at 12:59 AM, Eugene Teo<eugene () redhat com>  wrote:
> > On 03/21/2011 03:26 AM, Dan Rosenberg wrote:
> > > When providing an invalid IrDA nickname for an IrNET peer, a local
> > > attacker can cause a kernel panic due to an underflow in a memcpy()
> > > size calculation or cause a controllable heap overflow that may lead
> > > to privilege escalation.  Write access to the /dev/irnet device file
> > > is required to trigger the vulnerability.
> > >
> > > Reference:
> > > http://marc.info/?l=linux-netdev&m=130060169116047&w=2
> >
> > The default permissions for /dev/irnet is root-read/write only. In the past
> > I have ignored such issues that can only be triggered by root, even though
> > the permissions can be changed. I wouldn't assign a CVE name for this. CC'ed
> > Steve.
>
> Fair enough, I should probably have been more clear about the exact
> impact of the flaw.  But given recent discussions about hardening the
> kernel even against the root user, it seems like reliably triggered

wrt to capabilities.

> kernel memory corruption of any kind enables crossing some security
> boundary, so this may still deserve a CVE - just one with a
> description that accurately reflects the relatively less common attack
> scenario.

Yes, but it can't be triggered by a local, unprivileged user.

Eugene
--
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }