oss-sec mailing list archives
Re: CVE request: kernel: heap corruption in IrDA
From: Eugene Teo <eugene () redhat com>
Date: Mon, 21 Mar 2011 12:59:53 +0800
On 03/21/2011 03:26 AM, Dan Rosenberg wrote:
When providing an invalid IrDA nickname for an IrNET peer, a local attacker can cause a kernel panic due to an underflow in a memcpy() size calculation or cause a controllable heap overflow that may lead to privilege escalation. Write access to the /dev/irnet device file is required to trigger the vulnerability. Reference: http://marc.info/?l=linux-netdev&m=130060169116047&w=2
The default permissions for /dev/irnet is root-read/write only. In the past I have ignored such issues that can only be triggered by root, even though the permissions can be changed. I wouldn't assign a CVE name for this. CC'ed Steve.
Thanks, Eugene -- main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }
Current thread:
- CVE request: kernel: heap corruption in IrDA Dan Rosenberg (Mar 20)
- Re: CVE request: kernel: heap corruption in IrDA Eugene Teo (Mar 20)
- Re: CVE request: kernel: heap corruption in IrDA Dan Rosenberg (Mar 21)
- Re: CVE request: kernel: heap corruption in IrDA Eugene Teo (Mar 22)
- Re: CVE request: kernel: heap corruption in IrDA Dan Rosenberg (Mar 21)
- Re: CVE request: kernel: heap corruption in IrDA Eugene Teo (Mar 20)