oss-sec mailing list archives
CVE request -- Linux kernel: vhost: fix length for cross region descriptor
From: Petr Matousek <pmatouse () redhat com>
Date: Wed, 20 Feb 2013 01:41:59 +0100
If a single descriptor crosses a region, the second chunk length should be decremented by size translated so far, instead it includes the full descriptor length. A privileged guest user could use this flaw to crash the host or, potentially, corrupt host memory. Upstream fix: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=bd97120fc3d1a11f3124c7c9ba1d91f51829eb85 References: https://bugzilla.redhat.com/show_bug.cgi?id=912905 Thanks, -- Petr Matousek / Red Hat Security Response Team
Current thread:
- CVE request -- Linux kernel: vhost: fix length for cross region descriptor Petr Matousek (Feb 19)
- Re: CVE request -- Linux kernel: vhost: fix length for cross region descriptor Kurt Seifried (Feb 19)