Re: CVE request: kernel: multiple issues in ROSE

[Dan Rosenberg <dan.j.rosenberg () gmail com>]

Any update on this?

Thanks,
Dan

On Mon, Mar 21, 2011 at 12:47 AM, Eugene Teo <eugene () redhat com> wrote:
> On 03/21/2011 03:40 AM, Dan Rosenberg wrote:
> > I sent in a patch [1] resolving two issues in ROSE:
> >
> > "When parsing the FAC_NATIONAL_DIGIS facilities field, it's possible
> > for a remote host to provide more digipeaters than expected, resulting
> > in heap corruption.  Check against ROSE_MAX_DIGIS to prevent
> > overflows, and abort facilities parsing on failure.
> >
> > Additionally, when parsing the FAC_CCITT_DEST_NSAP and
> > FAC_CCITT_SRC_NSAP facilities fields, a remote host can provide a
> > length of less than 10, resulting in an underflow in a memcpy size,
> > causing a kernel panic due to massive heap corruption.  A length of
> > greater than 20 results in a stack overflow of the callsign array.
> > Abort facilities parsing on these invalid length values."
> >
> > These issues may both result in code execution.  They may be triggered
> > by a remote attacker if the victim has a listening ROSE socket, or by
> > a local attacker (for privilege escalation) if a ROSE device exists
> > (e.g. rose0).
> >
> > Ben Hutchings followed up with a patch [2] that resolves a number of
> > other ROSE issues related to lack of size field validation, some of
> > which may also result in heap corruption.
> >
> > Not sure about the proper CVE breakdown for all these issues, since
> > the entire protocol was quite broken.  Perhaps one is enough to cover
> > everything.
>
> I am not sure. I would just assign one for the collection of issues here but
> I will let Steve decide instead.
>
> > [1] http://marc.info/?l=linux-netdev&m=130060344616926
> > [2] http://marc.info/?l=linux-netdev&m=130063972406389&w=2
>
> Thanks, Eugene
> --
> main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }