Re: CVE request -- kernel: proc: signedness issue in next_pidmap()

[Eugene Teo <eugene () redhat com>]

On 04/19/2011 07:54 PM, Petr Matousek wrote:
> "A signedness issue has been found in next_pidmap() function when the "last"
> parameter is negative as next_pidmap() just quietly accepted whatever
> "last" pid that was passed in, which is not all that safe when one of the
> users is /proc.
>
> Setting f_pos to negative value when accessing /proc via readdir()/getdents()
> resulted in sign extension of this value when map pointer was being
> constructed.
>
> This later lead to #GP because the final pointer was not canonical (x86_64)."
>
> References:
> https://bugzilla.redhat.com/show_bug.cgi?id=697822
> http://groups.google.com/group/fa.linux.kernel/browse_thread/thread/93c1088451fd3522/4a28ecb7f755a88d?#4a28ecb7f755a88d
>
> Upstream commit:
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c78193e9
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d8bdc59f

Use CVE-2011-1593.

Eugene
--
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }