Re: CVE request: kernel (ARM): heap corruption in OABI semtimedop

[Josh Bressers <bressers () redhat com>]

----- Original Message -----
> The OABI wrapper for semtimedop does not bound the nsops argument. A
> sufficiently large value will cause an integer overflow in allocation
> size, followed by copying too much data into the allocated buffer.
> This only affects ARM systems with CONFIG_OABI_COMPAT set.
>
> This is exploitable for local privilege escalation, but successful
> exploitation requires winning a race. Because user-to-kernel copy
> functions on ARM zero the destination buffer even on failure to access
> the provided user pointer, the copy loop in the vulnerable function
> that causes the overflow will zero out large amounts of kernel heap if
> not interrupted, crashing the system. This should be possible to work
> around though.
>
> -Dan
>
> [1] http://marc.info/?l=linux-kernel&m=130408851326428&w=2

Please use CVE-2011-1759.

Thanks.

-- 
    JB