oss-sec mailing list archives
Re: CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[]
From: Petr Matousek <pmatouse () redhat com>
Date: Sun, 24 Feb 2013 14:49:31 +0100
On Sun, Feb 24, 2013 at 10:10:45AM +0100, Mathias Krause wrote:
An unprivileged user can send a netlink message resulting in an out-of-bounds access of the sock_diag_handlers[] array which, in turn, allows userland to take over control while in kernel mode. Patch (already in net/master): http://thread.gmane.org/gmane.linux.network/260061 Affected versions: v3.3 - v3.8 PoC is not attached this time but can be requested on demand. Hint: Works well on Fedora 18, bypassing all mmap_min_addr checks. ;)
Please use CVE-2013-1763. Thanks, -- Petr Matousek / Red Hat Security Response Team
Current thread:
- CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Mathias Krause (Feb 24)
- Re: CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Petr Matousek (Feb 24)
- Re: CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Solar Designer (Feb 25)
- Re: CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Mathias Krause (Feb 25)
- Re: CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Mathias Krause (Feb 25)
- Re: CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Solar Designer (Feb 25)
- Re: CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Mathias Krause (Feb 25)
- Re: CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Dan Rosenberg (Feb 25)
- Re: CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Mathias Krause (Feb 25)
- Re: CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Dan Rosenberg (Feb 25)
- Re: CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Mathias Krause (Feb 25)
- Re: CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Jason A. Donenfeld (Feb 25)
- Re: CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Mathias Krause (Feb 25)