[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: kernel: heap overflow in TIPC
From:       Josh Bressers <bressers () redhat ! com>
Date:       2010-10-22 14:38:52
Message-ID: 1432075622.1471601287758332552.JavaMail.root () zmail01 ! collab ! prod ! int ! phx2 ! redhat ! com
[Download RAW message or body]

Please use CVE-2010-3859

Thanks.

-- 
    JB


----- "Dan Rosenberg" <dan.j.rosenberg@gmail.com> wrote:

> The tipc_msg_build() function in net/tipc/msg.c contains an
> exploitable kernel heap overflow that would allow a local user to
> escalate privileges to root by issuing maliciously crafted sendmsg()
> calls via TIPC sockets.
> 
> Fortunately, none of the distributions I tested actually define a
> module alias for TIPC even though it is compiled as a module on
> nearly
> all of them (I suspect this is a lucky accident).  Since in these
> situations, the TIPC module will not be loaded automatically on
> creation of a TIPC socket, an administrator would have had to
> explicitly load the TIPC kernel module in order for a system to be
> vulnerable.
> 
> I checked Ubuntu, Debian, and Fedora, none of which define an alias.
> Any distributions that define a module alias for TIPC (i.e. "alias
> net-pf-30 tipc") should treat this as a serious vulnerability.  Even
> if your distribution does not, I highly recommend backporting the fix
> for this, since it's a bit of defensive programming in the core
> networking code that handles verifying user-supplied iovecs, which
> likely resolves other undiscovered (or undisclosed) security issues
> elsewhere.  I'll post a link to the fix when it's finalized and
> committed.
> 
> Reference:
> http://marc.info/?l=linux-netdev&m=128770476511716&w=2
> 
> -Dan
[prev in list] [next in list] [prev in thread] [next in thread]