oss-sec mailing list archives
CVE Request: Linux Kernel Ozwpan Driver - Remote packet-of-death vulnerabilities
From: "Jason A. Donenfeld" <Jason () zx2c4 com>
Date: Wed, 27 May 2015 16:45:15 +0200
Hi folks, This is a resend, as the other request seems to have gotten lost in the mix. A variety of issues have been found in Linux's ozwpan driver. 1. A remote packet can be sent, resulting in funny subtractions of signed integers, which causes a memcpy(kernel_heap, network_user_buffer, -network_user_provided_length). There are two different conditions that can lead to this: https://lkml.org/lkml/2015/5/13/740 https://lkml.org/lkml/2015/5/13/744 You may want to give two CVEs or just one CVE for these two issues. 2. A remote packet can be sent, resulting in divide-by-zero in softirq, causing hard crash: https://lkml.org/lkml/2015/5/13/741 3. A remote packet can be sent, resulting in a funny subtraction, causing an insanely big loop to lock up the kernel: https://lkml.org/lkml/2015/5/13/742 4. Multiple out-of-bounds reads, resulting in possible information leakage, explained in the last paragraph of the introductory email here: https://lkml.org/lkml/2015/5/13/739 Please assign CVEs so that these can be properly tracked. I've been told the v2 of these patches are in the merging queue. Regards, Jason Donenfeld
Current thread:
- CVE Request: Linux Kernel Ozwpan Driver - Remote packet-of-death vulnerabilities Jason A. Donenfeld (May 27)
- Re: CVE Request: Linux Kernel Ozwpan Driver - Remote packet-of-death vulnerabilities Jason A. Donenfeld (May 30)