Re: CVE request: kernel: two issues in mpt2sas

[Eugene Teo <eugene () redhat com>]

On 04/06/2011 01:00 AM, Dan Rosenberg wrote:
> "At two points in handling device ioctls via /dev/mpt2ctl,
> user-supplied length values are used to copy data from userspace into
> heap buffers without bounds checking, allowing controllable heap
> corruption and subsequently privilege escalation.

CVE-2011-1494

> Additionally, user-supplied values are used to determine the size of a
> copy_to_user() as well as the offset into the buffer to be read, with
> no bounds checking, allowing users to read arbitrary kernel memory."
> [1]

CVE-2011-1495

> These issues require access to the /dev/mpt2sas device (LSI MPT Fusion
> SAS 2.0).  While the kernel creates this device file root-root 660 by
> default, I've seen it with more open permissions on live systems, so
> perhaps there's some common use case that requires modifying these
> default permissions.
>
> -Dan
>
> [1] http://marc.info/?l=linux-kernel&m=130202198105756&w=2

Thanks, Eugene
--
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }