oss-sec mailing list archives

CVE request: kernel: r128 IOCTL NULL pointer dereferences when CCE state is uninitialised

From: Eugene Teo <eugeneteo () kernel sg>
Date: Mon, 19 Oct 2009 12:58:14 +0800

Quoting from the upstream commit:

"Almost all r128's private ioctls require that the CCE state has alreadybeen initialised. However, most do not test that this has been done,and will proceed to dereference a null pointer. This may result in asecurity vulnerability, since some ioctls are unprivileged.

This adds a macro for the common initialisation test and changes allioctl implementations that require prior initialisation to use that macro.


Also, r128_do_init_cce() does not test that the CCE state has not been

initialised already. Repeated initialisation may lead to a crash orresource leak. This adds that test."


http://git.kernel.org/linus/7dc482dfeeeefcfd000d4271c4626937406756d7

Other references:
http://secunia.com/advisories/36707/
https://bugzilla.redhat.com/show_bug.cgi?id=529597

Thanks, Eugene

Current thread:

CVE request: kernel: r128 IOCTL NULL pointer dereferences when CCE state is uninitialised Eugene Teo (Oct 18)
- Re: CVE request: kernel: r128 IOCTL NULL pointer dereferences when CCE state is uninitialised Josh Bressers (Oct 19)