Re: CVE Request: Linux Kernel Ozwpan Driver - Remote packet-of-death vulnerabilities

["Jason A. Donenfeld" <Jason () zx2c4 com>]

Hi folks,

Just providing an update on this. Several fixes for these issues have
been merged.

On Wed, May 27, 2015 at 4:45 PM, Jason A. Donenfeld
> 1. A remote packet can be sent, resulting in funny subtractions of
> signed integers, which causes a memcpy(kernel_heap,
> network_user_buffer, -network_user_provided_length).
>
> There are two different conditions that can lead to this:
> https://lkml.org/lkml/2015/5/13/740
> https://lkml.org/lkml/2015/5/13/744
> You may want to give two CVEs or just one CVE for these two issues.

https://git.kernel.org/cgit/linux/kernel/git/gregkh/staging.git/commit/?id=d114b9fe78c8d6fc6e70808c2092aa307c36dc8e
https://git.kernel.org/cgit/linux/kernel/git/gregkh/staging.git/commit/?id=b1bb5b49373b61bf9d2c73a4d30058ba6f069e4c

Please assign a CVE.


> 2. A remote packet can be sent, resulting in divide-by-zero in
> softirq, causing hard crash:
> https://lkml.org/lkml/2015/5/13/741

https://git.kernel.org/cgit/linux/kernel/git/gregkh/staging.git/commit/?&id=04bf464a5dfd9ade0dda918e44366c2c61fce80b

Please assign a CVE.

> 3. A remote packet can be sent, resulting in a funny subtraction,
> causing an insanely big loop to lock up the kernel:
> https://lkml.org/lkml/2015/5/13/742

https://git.kernel.org/cgit/linux/kernel/git/gregkh/staging.git/commit/?id=9a59029bc218b48eff8b5d4dde5662fd79d3e1a8

Please assign a CVE.


> 4. Multiple out-of-bounds reads, resulting in possible information
> leakage, explained in the last paragraph of the introductory email
> here:
> https://lkml.org/lkml/2015/5/13/739

The maintainer has not yet written a patch to fix this issue, so it
remains an open case.

Please assign a CVE.



I'd appreciate getting these CVEs assigned sooner rather than later.

Thanks,
Jason