oss-sec mailing list archives
Re: CVE Request -- Linux kernel: sctp: SCTP_GET_ASSOC_STATS stack overflow
From: Petr Matousek <pmatouse () redhat com>
Date: Fri, 8 Mar 2013 04:47:44 +0100
It's stack buffer overflow, not stack overflow, sorry. On Fri, Mar 08, 2013 at 04:23:49AM +0100, Petr Matousek wrote:
A local user could use the missing size check in sctp_getsockopt_assoc_stats() function to escalate their privileges. On x86 this might be mitigated by destination object size check as the destination size is known at compile time. Upstream fix: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=726bc6b0 Introduced by: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=196d6759 Introduced in: v3.8-rc1 References: https://twitter.com/grsecurity/status/309805924749541376 http://grsecurity.net/~spender/sctp.c
https://bugzilla.redhat.com/show_bug.cgi?id=919315 Thanks, -- Petr Matousek / Red Hat Security Response Team
Current thread:
- CVE Request -- Linux kernel: sctp: SCTP_GET_ASSOC_STATS stack overflow Petr Matousek (Mar 07)
- Re: CVE Request -- Linux kernel: sctp: SCTP_GET_ASSOC_STATS stack overflow Kurt Seifried (Mar 07)
- Re: CVE Request -- Linux kernel: sctp: SCTP_GET_ASSOC_STATS stack overflow Petr Matousek (Mar 07)