oss-sec mailing list archives
CVE Request: kernel: ethtool: kernel buffer overflow in ETHTOOL_GRXCLSRLALL
From: Eugene Teo <eugeneteo () kernel sg>
Date: Wed, 30 Jun 2010 08:05:50 +0800
On 06/29/2010 11:53 PM, akuster wrote:
Eugene, Thanks for the info. Unfortunately it does affect a few MontaVista kernels. Is it possible to get a CVE for this?
I edited the $SUBJECT :) Eugene
On 06/28/2010 04:10 PM, Eugene Teo wrote:FYI, "On a 32-bit machine, info.rule_cnt>= 0x40000000 leads to integer overflow and the buffer may be smaller than needed. Since ETHTOOL_GRXCLSRLALL is unprivileged, this can presumably be used for at least denial of service." This was introduced in v2.6.27-rc1 via upstream commit 0853ad66. Also see commit 59089d8d. Reference: http://thread.gmane.org/gmane.linux.network/164869 https://bugzilla.redhat.com/show_bug.cgi?id=608950 I'm not requesting a CVE name for this as it did not affect any of our Red Hat supported Linux kernels. Thanks, Eugene
-- main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }
Current thread:
- kernel: ethtool: kernel buffer overflow in ETHTOOL_GRXCLSRLALL Eugene Teo (Jun 28)
- Re: kernel: ethtool: kernel buffer overflow in ETHTOOL_GRXCLSRLALL akuster (Jun 29)
- CVE Request: kernel: ethtool: kernel buffer overflow in ETHTOOL_GRXCLSRLALL Eugene Teo (Jun 29)
- Re: CVE Request: kernel: ethtool: kernel buffer overflow in ETHTOOL_GRXCLSRLALL Josh Bressers (Jun 30)
- CVE Request: kernel: ethtool: kernel buffer overflow in ETHTOOL_GRXCLSRLALL Eugene Teo (Jun 29)
- Re: kernel: ethtool: kernel buffer overflow in ETHTOOL_GRXCLSRLALL akuster (Jun 29)