oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE Request: Linux Kernel Ozwpan Driver - Remote packet-of-death vulnerabilities

From: "Jason A. Donenfeld" <Jason () zx2c4 com>
Date: Wed, 27 May 2015 16:45:15 +0200
Hi folks,

This is a resend, as the other request seems to have gotten lost in the mix.

A variety of issues have been found in Linux's ozwpan driver.

1. A remote packet can be sent, resulting in funny subtractions of
signed integers, which causes a memcpy(kernel_heap,
network_user_buffer, -network_user_provided_length).

There are two different conditions that can lead to this:
https://lkml.org/lkml/2015/5/13/740
https://lkml.org/lkml/2015/5/13/744
You may want to give two CVEs or just one CVE for these two issues.

2. A remote packet can be sent, resulting in divide-by-zero in
softirq, causing hard crash:
https://lkml.org/lkml/2015/5/13/741

3. A remote packet can be sent, resulting in a funny subtraction,
causing an insanely big loop to lock up the kernel:
https://lkml.org/lkml/2015/5/13/742

4. Multiple out-of-bounds reads, resulting in possible information
leakage, explained in the last paragraph of the introductory email
here:
https://lkml.org/lkml/2015/5/13/739


Please assign CVEs so that these can be properly tracked. I've been
told the v2 of these patches are in the merging queue.

Regards,
Jason Donenfeld
Previous By Date Next
Previous By Thread Next

Current thread: