Re: CVE request: kernel: btrfs heap overflow

[Eugene Teo <eugene () redhat com>]

On 02/10/2011 12:01 AM, Eugene Teo wrote:
> On 02/09/2011 11:49 PM, Dan Rosenberg wrote:
> > I'm not aware of any distributions that support 2.6.37 kernels, but as
> > far as I know this doesn't affect CVE eligibility (please correct me
> > if I'm wrong).
>
> Ok, I'm just asking. Please use CVE-2011-0696.

Wrong, race condition. Please use CVE-2011-0699 instead.

Thanks, Eugene

> Eugene
>
> > On Wed, Feb 9, 2011 at 10:20 AM, Eugene Teo<eugene () redhat com> wrote:
> > > On 02/09/2011 10:27 PM, Dan Rosenberg wrote:
> > > > Commit bf5fc093c5b625e4259203f1cee7ca73488a5620 refactored
> > > > btrfs_ioctl_space_info() and introduced security issues. Since they
> > > > were all introduced at once and fixed at the same time, one CVE should
> > > > suffice.
> > > >
> > > > Due to integer truncation or a signedness error in a typecasted
> > > > comparison, an integer overflow in an allocation size calculation, and
> > > > a failure to properly check bounds when copying data, it was possible
> > > > for an unprivileged user to cause a denial-of-service due to writing
> > > > to an invalid pointer (ZERO_SIZE_PTR) or cause a kernel heap overflow.
> > > >
> > > > -Dan
> > > >
> > > > [1] http://marc.info/?l=linux-kernel&m=129726078708425&w=2
> > >
> > > Commit bf5fc093c was introduced very recently - v2.6.37-rc1 Sept last
> > > year.
> > > Do we have commercially supported kernels that are affected by this?
> > >
> > > Thanks, Eugene