oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2017-7482 Linux kernel: krb5 ticket decode len check.

From: Wade Mealing <wmealing () redhat com>
Date: Mon, 26 Jun 2017 18:07:59 +1000
Gday,

David Howells has written a great description, so rather than reword what
he's written here is a quote directly from the git commit.


From the patch notes:


---
    When a kerberos 5 ticket is being decoded so that it can be loaded into
an
    rxrpc-type key, there are several places in which the length of a
    variable-length field is checked to make sure that it's not going to
    overrun the available data - but the data is padded to the nearest
    four-byte boundary and the code doesn't check for this extra.  This
could
    lead to the size-remaining variable wrapping and the data pointer going
    over the end of the buffer.

    Fix this by making the various variable-length data checks use the
padded
    length.
---


From what I can see, this could leak 3 bytes of memory to userspace or

possibly corrupt 3 bytes of memory,

Upstream fix
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5f2f97656ada8d811d3c1bef503ced266fcd53a0

Red Hat Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7482

-- 

Wade Mealing

Product Security - Kernel, RHCE

Red Hat

<https://www.redhat.com>

wmealing () redhat com
<https://red.ht/sig>
TRIED. TESTED. TRUSTED. <https://redhat.com/trusted>
Previous By Date Next
Previous By Thread Next

Current thread: