oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: some unstracked linux kernel security fixes

From: Petr Matousek <pmatouse () redhat com>
Date: Thu, 14 Nov 2013 11:33:10 +0100
On Tue, Nov 12, 2013 at 11:10:32AM +0100, Petr Matousek wrote:

Hi,

On Sun, Nov 03, 2013 at 05:32:52PM +0100, Nico Golde wrote:

drivers/uio/uio.c: mapping of physical memory to user space without proper size check
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7314e613d5ff


there is a size check in uio_mmap() (the only caller of uio_mmap_physical()):

        requested_pages = vma_pages(vma);
        actual_pages = ((idev->info->mem[mi].addr & ~PAGE_MASK)
                        + idev->info->mem[mi].size + PAGE_SIZE -1) >> PAGE_SHIFT;
        if (requested_pages > actual_pages)
                return -EINVAL;

why it wasn't sufficient?


Apparently there was a CVE split [1] and this is now CVE-2013-6763.

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6763

I still think this is a non-issue based on the above mentioned size
check. Can I please get second opinion from someone more knowledgeable
on this?

Thanks,
-- 
Petr Matousek / Red Hat Security Response Team
PGP: 0xC44977CA 8107 AF16 A416 F9AF 18F3  D874 3E78 6F42 C449 77CA
Previous By Date Next
Previous By Thread Next

Current thread: