oss-sec mailing list archives

Re: [PATCH] acpi: debugfs: fix buffer overflows, double free

From: Vasiliy Kulikov <segoon () openwall com>
Date: Mon, 24 Jan 2011 21:37:59 +0300

On Sat, Jan 22, 2011 at 15:13 -0500, Steven M. Christey wrote:


On Fri, 21 Jan 2011, Eugene Teo wrote:

On 01/21/2011 04:08 AM, Vasiliy Kulikov wrote:

File position is not controlled, it may lead to overwrites of arbitrary
kernel memory.  Also the code may kfree() the same pointer multiple
times.


http://lkml.org/lkml/2011/1/20/348
https://bugzilla.redhat.com/CVE-2011-0023

Please use CVE-2011-0023 (this does not include the unresolved
flaw described in the following paragraph below).


There seem to be 2 types of issues described above - the
uncontrolled file position / memory overwrite, and a "double free".


If you want to count every bug in this code, here you are: if zero *ppos
after each write() then buf is leaked :-)

So there should probably be 2 separate CVEs, not one.  Am I missing
something?

- Steve


-- 
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments

Current thread:

Re: [PATCH] acpi: debugfs: fix buffer overflows, double free Eugene Teo (Jan 20)
- Re: [PATCH] acpi: debugfs: fix buffer overflows, double free Vasiliy Kulikov (Jan 21)
  - Re: [PATCH] acpi: debugfs: fix buffer overflows, double free Eugene Teo (Jan 21)
- Re: [PATCH] acpi: debugfs: fix buffer overflows, double free Steven M. Christey (Jan 22)
  - Re: Re: [PATCH] acpi: debugfs: fix buffer overflows, double free Eugene Teo (Jan 22)
    - Re: Re: [PATCH] acpi: debugfs: fix buffer overflows, double free Josh Bressers (Jan 24)
    - Re: Re: [PATCH] acpi: debugfs: fix buffer overflows, double free Eugene Teo (Jan 24)
  - Re: [PATCH] acpi: debugfs: fix buffer overflows, double free Vasiliy Kulikov (Jan 24)