oss-sec mailing list archives
Re: Re: CVE Request: Linux Kernel: information leak from getsockname
From: Marcus Meissner <meissner () suse de>
Date: Wed, 16 Dec 2015 12:44:30 +0100
On Tue, Dec 15, 2015 at 01:15:07PM -0500, cve-assign () mitre org wrote:
http://twitter.com/grsecurity/statuses/676744240802750464 https://lkml.org/lkml/2015/12/14/252 http://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=09ccfd238e5a0e670d8178cf50180ea81ae09ae1(not yet available at http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/log/drivers/net/ppp/pptp.c)getsockname() for some socket families did not check the length of the passed sockaddr, copying out more kernel memory than required, leaking information from the kernel stack, including kernel addresses. This can be used for KASLR bypass or other information leaks.Use CVE-2015-8569 for both the pptp_bind issue and the pptp_connect issue. (We don't know whether the pptp_connect issue would've been exploitable if only the pptp_bind issue were fixed.)
The netdev team has added more fixes very similar to that. Could we merge them with this CVE? http://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=5233252fce714053f0151680933571a2da9cbfb4 in bluetooth/sco Ciao, Marcus
Current thread:
- CVE Request: Linux Kernel: information leak from getsockname Marcus Meissner (Dec 15)
- Re: CVE Request: Linux Kernel: information leak from getsockname cve-assign (Dec 15)
- Re: Re: CVE Request: Linux Kernel: information leak from getsockname Marcus Meissner (Dec 16)
- Re: CVE Request: Linux Kernel: information leak from getsockname cve-assign (Dec 16)
- Re: Re: CVE Request: Linux Kernel: information leak from getsockname Marcus Meissner (Dec 16)
- Re: CVE Request: Linux Kernel: information leak from getsockname cve-assign (Dec 15)