oss-sec mailing list archives

Re: CVE request: kernel: parisc: isa-eeprom missing lower bound check

From: "Steven M. Christey" <coley () linus mitre org>
Date: Tue, 18 Aug 2009 16:58:43 -0400 (EDT)


I wasn't sure how to interpret the phrase "poke in random memory" from the
bug comment and there wasn't enough source code context, so I guessed that
the impact is reading unexpected memory, but maybe it's also a crash or
whatever.

- Steve


======================================================
Name: CVE-2009-2846
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2846
Reference: MLIST:[oss-security] 20090810 CVE request: kernel: parisc: isa-eeprom missing lower bound check
Reference: URL:http://www.openwall.com/lists/oss-security/2009/08/10/1
Reference: MLIST:[oss-security] 20090818 Re: CVE request: kernel: parisc: isa-eeprom missing lower bound check
Reference: URL:http://www.openwall.com/lists/oss-security/2009/08/18/6
Reference: 
CONFIRM:http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=6b4dbcd86a9d464057fcc7abe4d0574093071fcc

The eisa_eeprom_read function in the parisc isa-eeprom component
(drivers/parisc/eisa_eeprom.c) in the Linux kernel before 2.6.31-rc6
allows local users to access restricted memory via a negative ppos
argument, which bypasses a check that assumes that ppos is positive
and causes an out-of-bounds read in the readb function.

Current thread:

CVE request: kernel: parisc: isa-eeprom missing lower bound check Eugene Teo (Aug 09)
- Re: CVE request: kernel: parisc: isa-eeprom missing lower bound check Steven M. Christey (Aug 18)
- Re: CVE request: kernel: parisc: isa-eeprom missing lower bound check Steven M. Christey (Aug 18)