oss-sec mailing list archives

CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[]

From: Mathias Krause <minipli () googlemail com>
Date: Sun, 24 Feb 2013 10:10:45 +0100

An unprivileged user can send a netlink message resulting in an
out-of-bounds access of the sock_diag_handlers[] array which, in turn,
allows userland to take over control while in kernel mode.

Patch (already in net/master):
http://thread.gmane.org/gmane.linux.network/260061

Affected versions:
v3.3 - v3.8

PoC is not attached this time but can be requested on demand. Hint:
Works well on Fedora 18, bypassing all mmap_min_addr checks. ;)


Thanks,
Mathias

Current thread:

CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Mathias Krause (Feb 24)
- Re: CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Petr Matousek (Feb 24)
- Re: CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Solar Designer (Feb 25)
  - Re: CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Mathias Krause (Feb 25)
    - Re: CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Mathias Krause (Feb 25)
    - Re: CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Solar Designer (Feb 25)
    - Re: CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Mathias Krause (Feb 25)
    - Re: CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Dan Rosenberg (Feb 25)
    - Re: CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Mathias Krause (Feb 25)
    - Re: CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Dan Rosenberg (Feb 25)
    - Re: CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Mathias Krause (Feb 25)

(Thread continues...)