oss-sec mailing list archives
Re: CVE request -- kernel: proc: signedness issue in next_pidmap()
From: Eugene Teo <eugene () redhat com>
Date: Wed, 20 Apr 2011 08:58:23 +0800
On 04/19/2011 07:54 PM, Petr Matousek wrote:
"A signedness issue has been found in next_pidmap() function when the "last" parameter is negative as next_pidmap() just quietly accepted whatever "last" pid that was passed in, which is not all that safe when one of the users is /proc. Setting f_pos to negative value when accessing /proc via readdir()/getdents() resulted in sign extension of this value when map pointer was being constructed. This later lead to #GP because the final pointer was not canonical (x86_64)." References: https://bugzilla.redhat.com/show_bug.cgi?id=697822 http://groups.google.com/group/fa.linux.kernel/browse_thread/thread/93c1088451fd3522/4a28ecb7f755a88d?#4a28ecb7f755a88d Upstream commit: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c78193e9 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d8bdc59f
Use CVE-2011-1593. Eugene -- main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }
Current thread:
- CVE request -- kernel: proc: signedness issue in next_pidmap() Petr Matousek (Apr 19)
- Re: CVE request -- kernel: proc: signedness issue in next_pidmap() Eugene Teo (Apr 19)