oss-sec mailing list archives
CVE requests: Remote packet-of-death vulnerabilities in Linux Kernel ozwpan driver
From: "Jason A. Donenfeld" <Jason () zx2c4 com>
Date: Wed, 13 May 2015 21:44:04 +0200
Hi folks, A variety of issues have been found in Linux's ozwpan driver. 1. A remote packet can be sent, resulting in funny subtractions of signed integers, which causes a memcpy(kernel_heap, network_user_buffer, -network_user_provided_length). There are two different conditions that can lead to this: https://lkml.org/lkml/2015/5/13/740 https://lkml.org/lkml/2015/5/13/744 You may want to give two CVEs or just one CVE for these two issues. 2. A remote packet can be sent, resulting in divide-by-zero in softirq, causing hard crash: https://lkml.org/lkml/2015/5/13/741 3. A remote packet can be sent, resulting in a funny subtraction, causing an insanely big loop to lock up the kernel: https://lkml.org/lkml/2015/5/13/742 4. Multiple out-of-bounds reads, resulting in possible information leakage, explained in the last paragraph of the introductory email here: https://lkml.org/lkml/2015/5/13/739 Please assign CVEs so that these can be properly tracked. Regards, Jason
Current thread:
- CVE requests: Remote packet-of-death vulnerabilities in Linux Kernel ozwpan driver Jason A. Donenfeld (May 13)