oss-sec mailing list archives
CVE requests: Three Linux kernel issues
From: Moritz Muehlenhoff <jmm () debian org>
Date: Mon, 11 Apr 2011 23:38:13 +0200
Hi, I noticed the following reports by Vasiliy Kulikov on on linux-kernel. Josh/Eugene, please assign CVE IDs: [1] http://permalink.gmane.org/gmane.linux.kernel/1124411 : | PATCH] char: briq_panel: fix TOCTOU bug | | There is a TOCTOU bug in briq_panel_write() code: | | if (vfd_cursor > 39) <<< | scroll_vfd(); | vfd[vfd_cursor++] = c; <<< | | It's possible to write to arbitrary memory location in case of more than | one process tries to call write() simultaneously. [2] http://permalink.gmane.org/gmane.linux.kernel/1124410 : | [PATCH] char: genrtc: fix infoleak to userspace | | struct pll is copied to userspace. It is filled in "multiplexing" function | get_rtc_pll(). At least one implementator, q40_get_rtc_pll(), doesn't | fill .pll_ctrl field. It's hard to understand whether either the caller | or the callee must zero the unused struct fields, however, on another | ioctl commands the caller already zeroes the structure. So, let's the | caller use memset(). [3] http://permalink.gmane.org/gmane.linux.kernel/1124409 : | [PATCH] char: istallion: fix arbitrary kernel memory reads/writes | | stli_brdstats is defined as global variable. After de-BKL-ization in | the patch b4eda9cb48eac1b7 an access to the variable is not serialized | anymore. This leads to the TOCTOU in stli_getbrdstats(): | | if (copy_from_user(&stli_brdstats, bp, sizeof(combrd_t))) | return -EFAULT; | if (stli_brdstats.brd >= STL_MAXBRDS) <<<< | return -ENODEV; | brdp = stli_brds[stli_brdstats.brd]; <<<< | | If one process calls COM_GETBRDSTATS ioctl() with sane .brd, second | process calls COM_GETBRDSTATS ioctl() with invalid .brd, and the | second process' copy_from_user() executes exactly between the check and | stli_brds[] indexation of the first process, then the first process gets | contents of memory at *stli_brds[stli_brdstats.brd] address. Also | the resulting .nrpanels field may be too big, in this case | stli_brdstats.panels array overflows. Cheers, Moritz
Current thread:
- CVE requests: Three Linux kernel issues Moritz Muehlenhoff (Apr 11)
- Re: CVE requests: Three Linux kernel issues Dan Rosenberg (Apr 11)
- Re: CVE requests: Three Linux kernel issues Vasiliy Kulikov (Apr 12)
- Re: CVE requests: Three Linux kernel issues Eugene Teo (Apr 11)
- Re: CVE requests: Three Linux kernel issues Eugene Teo (Apr 11)
- Re: CVE requests: Three Linux kernel issues Dan Rosenberg (Apr 11)