oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE request: kernel: r128 IOCTL NULL pointer dereferences when CCE state is uninitialised

From: Josh Bressers <bressers () redhat com>
Date: Mon, 19 Oct 2009 15:26:16 -0400 (EDT)
Please use CVE-2009-3620

Thanks.

-- 
    JB

----- "Eugene Teo" <eugeneteo () kernel sg> wrote:


Quoting from the upstream commit:
"Almost all r128's private ioctls require that the CCE state has
already 
been initialised.  However, most do not test that this has been done,

and will proceed to dereference a null pointer.  This may result in a

security vulnerability, since some ioctls are unprivileged.

This adds a macro for the common initialisation test and changes all 
ioctl implementations that require prior initialisation to use that
macro.

Also, r128_do_init_cce() does not test that the CCE state has not
been
initialised already.  Repeated initialisation may lead to a crash or 
resource leak.  This adds that test."

http://git.kernel.org/linus/7dc482dfeeeefcfd000d4271c4626937406756d7

Other references:
http://secunia.com/advisories/36707/
https://bugzilla.redhat.com/show_bug.cgi?id=529597

Thanks, Eugene
Previous By Date Next
Previous By Thread Next

Current thread: