oss-sec mailing list archives

Re: CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[]

From: Mathias Krause <minipli () googlemail com>
Date: Mon, 25 Feb 2013 11:46:52 +0100

On Mon, Feb 25, 2013 at 11:41 AM, Mathias Krause <minipli () googlemail com> wrote:

Kind of. The missing upper bound check was (and still is) in there in
older kernels as well, at times as this code was still living in
inet_diag.c. But it wasn't (and isn't) vulnerable as the
inet_diag_handlers[] array is 256 elements big. So userland cannot

   ^^^^^^^^^^^^^^^^^^^^^^ inet_diag_table that should be, and it's
bound by INET_DIAG_GETSOCK_MAX checks in older kernels.

Sorry for the confusion. Busy doing other stuff :/

Mathias

Current thread:

CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Mathias Krause (Feb 24)
- Re: CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Petr Matousek (Feb 24)
- Re: CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Solar Designer (Feb 25)
  - Re: CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Mathias Krause (Feb 25)
    - Re: CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Mathias Krause (Feb 25)
    - Re: CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Solar Designer (Feb 25)
    - Re: CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Mathias Krause (Feb 25)
    - Re: CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Dan Rosenberg (Feb 25)
    - Re: CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Mathias Krause (Feb 25)
    - Re: CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Dan Rosenberg (Feb 25)
    - Re: CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Mathias Krause (Feb 25)
    - Re: CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Jason A. Donenfeld (Feb 25)
    - Re: CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Dan Rosenberg (Feb 25)
    - Re: CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Solar Designer (Feb 25)
  - Re: CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Marcus Meissner (Feb 25)

(Thread continues...)