oss-sec mailing list archives
Re: CVE request: kernel: two issues in mpt2sas
From: Eugene Teo <eugene () redhat com>
Date: Wed, 06 Apr 2011 16:42:14 +0800
On 04/06/2011 01:00 AM, Dan Rosenberg wrote:
"At two points in handling device ioctls via /dev/mpt2ctl, user-supplied length values are used to copy data from userspace into heap buffers without bounds checking, allowing controllable heap corruption and subsequently privilege escalation.
CVE-2011-1494
Additionally, user-supplied values are used to determine the size of a copy_to_user() as well as the offset into the buffer to be read, with no bounds checking, allowing users to read arbitrary kernel memory." [1]
CVE-2011-1495
These issues require access to the /dev/mpt2sas device (LSI MPT Fusion SAS 2.0). While the kernel creates this device file root-root 660 by default, I've seen it with more open permissions on live systems, so perhaps there's some common use case that requires modifying these default permissions. -Dan [1] http://marc.info/?l=linux-kernel&m=130202198105756&w=2
Thanks, Eugene -- main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }
Current thread:
- CVE request: kernel: two issues in mpt2sas Dan Rosenberg (Apr 05)
- Re: CVE request: kernel: two issues in mpt2sas Eugene Teo (Apr 06)