oss-sec mailing list archives

CVE Request -- Linux kernel: sctp: SCTP_GET_ASSOC_STATS stack overflow

From: Petr Matousek <pmatouse () redhat com>
Date: Fri, 8 Mar 2013 04:23:49 +0100

A local user could use the missing size check in
sctp_getsockopt_assoc_stats() function to escalate their privileges. On
x86 this might be mitigated by destination object size check as the
destination size is known at compile time.

Upstream fix:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=726bc6b0

Introduced by:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=196d6759

Introduced in:
v3.8-rc1

References:
https://twitter.com/grsecurity/status/309805924749541376
http://grsecurity.net/~spender/sctp.c

Thanks,
-- 
Petr Matousek / Red Hat Security Response Team

Current thread:

CVE Request -- Linux kernel: sctp: SCTP_GET_ASSOC_STATS stack overflow Petr Matousek (Mar 07)
- Re: CVE Request -- Linux kernel: sctp: SCTP_GET_ASSOC_STATS stack overflow Kurt Seifried (Mar 07)
- Re: CVE Request -- Linux kernel: sctp: SCTP_GET_ASSOC_STATS stack overflow Petr Matousek (Mar 07)