[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE request: kernel: buffer overflow in OSS load_mixer_volumes
From: Huzaifa Sidhpurwala <huzaifas () redhat ! com>
Date: 2010-12-31 7:35:11
Message-ID: 4D1D84DF.3090302 () redhat ! com
[Download RAW message or body]
On 12/31/2010 05:32 AM, Dan Rosenberg wrote:
> "The load_mixer_volumes() function, which can be triggered by
> unprivileged users via the SOUND_MIXER_SETLEVELS ioctl, is vulnerable to
> a buffer overflow. Because the provided 'name' argument isn't
> guaranteed to be NULL terminated at the expected 32 bytes, it's possible
> to overflow past the end of the last element in the mixer_vols array.
> Further exploitation can result in an arbitrary kernel write (via
> subsequent calls to load_mixer_volumes()) leading to privilege
> escalation, or arbitrary kernel reads via get_mixer_levels(). In
> addition, the strcmp() may leak bytes beyond the mixer_vols array."
>
Please use CVE-2010-4527 for this one.
--
Huzaifa Sidhpurwala / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic