oss-sec mailing list archives
Re: CVE requests for three Linux kernel issues
From: P J P <ppandit () redhat com>
Date: Wed, 20 Nov 2013 12:19:47 +0530 (IST)
Hello Moritz, +-- On Tue, 19 Nov 2013, Petr Matousek wrote --+ | non-issues. Prasad (CC'ed) can provide reasons why. | > XADV-2013008 Linux Kernel 3.11.7 <= sk_attach_filter Kernel Heap Corruption | > http://seclists.org/fulldisclosure/2013/Nov/139 Here, integer overflow does not occur because 'fprog->len' is of type 'unsigned short' and sizeof(struct sock_filter) = 8 bytes. unsigned int fsize = sizeof(struct sock_filter) * fprog->len; = 8 * 65535(0xffff) = 524280 => 0x0007fff8 === // XXX Integer overflow (+ sizeof(*fp)) and causing a little allocation. fp = sock_kmalloc(sk, fsize+sizeof(*fp), GFP_KERNEL); === Adding few more bytes 'sizeof(*fp)' to 'fsize' above is unlikely to overflow an unsigned int. | > XADV-2013007 Linux Kernel bt8xx Video Driver IOCTL Heap Overflow | > http://seclists.org/fulldisclosure/2013/Nov/126 Here, 'win->clipcount' is of type 'unsigned int' OR '__u32', which is checked for > 2048 in verify_window(). It returns an error if it is greater than 2048. If we set win->clipcount to '-3', it'll be seen as '4294967293', which is way greater than 2048. Thus avoiding the said heap overflow. ->> XADV-2013003 Linux Kernel fbdev Driver arcfb_write() Overflow | > http://seclists.org/fulldisclosure/2013/Nov/75 Here, the call - write(/dev/fb, buf, count=0xffffffff) - passes through various VFS routines before reaching arcfb_write(). Enroute to 'arcfb_write', the routine vfs_write()->rw_verify_area() limits the 'count' argument to MAX_RW_COUNT via: #define MAX_RW_COUNT (INT_MAX & PAGE_CACHE_MASK) /* 2147479552|0x7ffff000 */ return count > MAX_RW_COUNT ? MAX_RW_COUNT : count; If count=MAX_RW_COUNT, the position parameter 'p' in arcfb_write() would have to be at least >= 0x80001000(ie. 2147487744), for 'count + position' to overflow an unsigned int fbmemlength at: if ((count + p) > fbmemlength) But, that large a position value would not fall through an earlier check at fbmemlength = (xres * info->var.yres) / 8; if (p > bmemlength) return -ENOSPC; Hope this helps. Thank you. -- Prasad J Pandit / Red Hat Security Response Team
Current thread:
- CVE requests for three Linux kernel issues Moritz Muehlenhoff (Nov 19)
- Re: CVE requests for three Linux kernel issues Petr Matousek (Nov 19)
- Re: CVE requests for three Linux kernel issues P J P (Nov 19)
- Re: CVE requests for three Linux kernel issues Daniel Borkmann (Nov 20)
- Re: CVE requests for three Linux kernel issues P J P (Nov 19)
- Re: CVE requests for three Linux kernel issues Petr Matousek (Nov 19)