oss-sec mailing list archives

Re: CVE request: kernel: OOM-killer via argv expansion

From: Kees Cook <kees () ubuntu com>
Date: Mon, 28 Feb 2011 13:02:02 -0800

On Mon, Feb 28, 2011 at 12:32:55PM -0800, Kees Cook wrote:

I think the flaw[1] with argv-expansion triggering the OOM-killer
incorrectly needs its own CVE.

While the stack guard page and the fixes[2] for CVE-2010-3858 certainly
improved things, argv expansion can still be tricked into OOM-killing the
entire system. Solutions were discussed on the original thread, but
were not finished. Recently a set of patches[3] has been re-proposed to fix
this issue. Regardless, it should probably get its own CVE assigned.

Thanks,

-Kees

[1] https://lkml.org/lkml/2010/8/27/429
[2] http://git.kernel.org/linus/1b528181b2ffa14721fb28ad1bd539fe1732c583
[3] https://lkml.org/lkml/2011/2/25/227


Sorry, Nelson Elhage pointed out to me that I missed the fix for this
issue. The issue was been fixed with:
http://git.kernel.org/linus/3c77f845722158206a7209c45ccddc264d19319c

This was already assigned as CVE-2010-4243

Sorry for the noise, and thanks!

-Kees

-- 
Kees Cook
Ubuntu Security Team

Current thread:

CVE request: kernel: OOM-killer via argv expansion Kees Cook (Feb 28)
- Re: CVE request: kernel: OOM-killer via argv expansion Kees Cook (Feb 28)
  - Re: CVE request: kernel: OOM-killer via argv expansion Kees Cook (Feb 28)
    - Re: CVE request: kernel: OOM-killer via argv expansion Nelson Elhage (Feb 28)
    - Re: CVE request: kernel: OOM-killer via argv expansion Eugene Teo (Feb 28)