oss-sec mailing list archives
Re: CVE request: kernel (ARM): heap corruption in OABI semtimedop
From: Josh Bressers <bressers () redhat com>
Date: Mon, 2 May 2011 14:59:01 -0400 (EDT)
----- Original Message -----
The OABI wrapper for semtimedop does not bound the nsops argument. A sufficiently large value will cause an integer overflow in allocation size, followed by copying too much data into the allocated buffer. This only affects ARM systems with CONFIG_OABI_COMPAT set. This is exploitable for local privilege escalation, but successful exploitation requires winning a race. Because user-to-kernel copy functions on ARM zero the destination buffer even on failure to access the provided user pointer, the copy loop in the vulnerable function that causes the overflow will zero out large amounts of kernel heap if not interrupted, crashing the system. This should be possible to work around though. -Dan [1] http://marc.info/?l=linux-kernel&m=130408851326428&w=2
Please use CVE-2011-1759. Thanks. -- JB
Current thread:
- CVE request: kernel (ARM): heap corruption in OABI semtimedop Dan Rosenberg (Apr 29)
- Re: CVE request: kernel (ARM): heap corruption in OABI semtimedop Josh Bressers (May 02)