![oss-sec logo](/images/oss-sec-logo.png)
oss-sec mailing list archives
Re: CVE requests: Three Linux kernel issues
From: Eugene Teo <eugene () redhat com>
Date: Tue, 12 Apr 2011 10:59:47 +0800
[1] http://permalink.gmane.org/gmane.linux.kernel/1124411 : | PATCH] char: briq_panel: fix TOCTOU bug | | There is a TOCTOU bug in briq_panel_write() code: | | if (vfd_cursor> 39)<<< | scroll_vfd(); | vfd[vfd_cursor++] = c;<<< | | It's possible to write to arbitrary memory location in case of more than | one process tries to call write() simultaneously.
This shouldn't happen as this is protected using tty_lock to only allow single access to it at any one time. So having more than one processes writing to it is unlikely. No CVE for this one.
[2] http://permalink.gmane.org/gmane.linux.kernel/1124410 : | [PATCH] char: genrtc: fix infoleak to userspace | | struct pll is copied to userspace. It is filled in "multiplexing" function | get_rtc_pll(). At least one implementator, q40_get_rtc_pll(), doesn't | fill .pll_ctrl field. It's hard to understand whether either the caller | or the callee must zero the unused struct fields, however, on another | ioctl commands the caller already zeroes the structure. So, let's the | caller use memset().
No CVE for this one too; /dev/rtc is root read/write only. Thanks. Eugene -- main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }
Current thread:
- CVE requests: Three Linux kernel issues Moritz Muehlenhoff (Apr 11)
- Re: CVE requests: Three Linux kernel issues Dan Rosenberg (Apr 11)
- Re: CVE requests: Three Linux kernel issues Vasiliy Kulikov (Apr 12)
- Re: CVE requests: Three Linux kernel issues Eugene Teo (Apr 11)
- Re: CVE requests: Three Linux kernel issues Eugene Teo (Apr 11)
- Re: CVE requests: Three Linux kernel issues Dan Rosenberg (Apr 11)