oss-sec mailing list archives

CVE requests: Three Linux kernel issues

From: Moritz Muehlenhoff <jmm () debian org>
Date: Mon, 11 Apr 2011 23:38:13 +0200

Hi,
I noticed the following reports by Vasiliy Kulikov on on linux-kernel. 

Josh/Eugene, please assign CVE IDs:

[1] http://permalink.gmane.org/gmane.linux.kernel/1124411 :

| PATCH] char: briq_panel: fix TOCTOU bug
|
| There is a TOCTOU bug in briq_panel_write() code:
|
|     if (vfd_cursor > 39)   <<<
|             scroll_vfd();
|     vfd[vfd_cursor++] = c; <<<
|
| It's possible to write to arbitrary memory location in case of more than
| one process tries to call write() simultaneously.

[2] http://permalink.gmane.org/gmane.linux.kernel/1124410 :

| [PATCH] char: genrtc: fix infoleak to userspace
|
| struct pll is copied to userspace.  It is filled in "multiplexing" function
| get_rtc_pll().  At least one implementator, q40_get_rtc_pll(), doesn't
| fill .pll_ctrl field.  It's hard to understand whether either the caller
| or the callee must zero the unused struct fields, however, on another
| ioctl commands the caller already zeroes the structure.  So, let's the
| caller use memset().

[3] http://permalink.gmane.org/gmane.linux.kernel/1124409 :

| [PATCH] char: istallion: fix arbitrary kernel memory reads/writes
|
| stli_brdstats is defined as global variable.  After de-BKL-ization in
| the patch b4eda9cb48eac1b7 an access to the variable is not serialized
| anymore.  This leads to the TOCTOU in stli_getbrdstats():
|
|        if (copy_from_user(&stli_brdstats, bp, sizeof(combrd_t)))
|                return -EFAULT;
|        if (stli_brdstats.brd >= STL_MAXBRDS)  <<<<
|                return -ENODEV;
|        brdp = stli_brds[stli_brdstats.brd];   <<<<
|
| If one process calls COM_GETBRDSTATS ioctl() with sane .brd, second
| process calls COM_GETBRDSTATS ioctl() with invalid .brd, and the
| second process' copy_from_user() executes exactly between the check and
| stli_brds[] indexation of the first process, then the first process gets
| contents of memory at *stli_brds[stli_brdstats.brd] address.  Also
| the resulting .nrpanels field may be too big, in this case
| stli_brdstats.panels array overflows.

Cheers,
        Moritz

Current thread:

CVE requests: Three Linux kernel issues Moritz Muehlenhoff (Apr 11)
- Re: CVE requests: Three Linux kernel issues Dan Rosenberg (Apr 11)
  - Re: CVE requests: Three Linux kernel issues Vasiliy Kulikov (Apr 12)
- Re: CVE requests: Three Linux kernel issues Eugene Teo (Apr 11)
- Re: CVE requests: Three Linux kernel issues Eugene Teo (Apr 11)