oss-sec mailing list archives

Re: CVE request: kernel: parisc: isa-eeprom missing lower bound check

From: "Steven M. Christey" <coley () linus mitre org>
Date: Tue, 18 Aug 2009 14:33:35 -0400 (EDT)


Use CVE-2009-2846, to be filled in later.

- Steve


On Mon, 10 Aug 2009, Eugene Teo wrote:

loff_t is a signed type. If userspace passes a negative ppos, the
"count" range check is weakened. If ppos is negative, the readb() later
in the function will poke in random memory. Only affects if you are
using a PA-RISC kernel with CONFIG_EISA set.

Upstream commit:
http://git.kernel.org/linus/6b4dbcd86a9d464057fcc7abe4d0574093071fcc

Reference:
http://patchwork.kernel.org/patch/36418/

Thanks, Eugene

Current thread:

CVE request: kernel: parisc: isa-eeprom missing lower bound check Eugene Teo (Aug 09)
- Re: CVE request: kernel: parisc: isa-eeprom missing lower bound check Steven M. Christey (Aug 18)
- Re: CVE request: kernel: parisc: isa-eeprom missing lower bound check Steven M. Christey (Aug 18)