[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: kernel: OOM-killer via argv expansion
From:       Kees Cook <kees () ubuntu ! com>
Date:       2011-02-28 23:28:47
Message-ID: 20110228232847.GF4669 () outflux ! net
[Download RAW message or body]

On Mon, Feb 28, 2011 at 01:02:02PM -0800, Kees Cook wrote:
> On Mon, Feb 28, 2011 at 12:32:55PM -0800, Kees Cook wrote:
> > I think the flaw[1] with argv-expansion triggering the OOM-killer
> > incorrectly needs its own CVE.
> > 
> > While the stack guard page and the fixes[2] for CVE-2010-3858 certainly
> > improved things, argv expansion can still be tricked into OOM-killing the
> > entire system. Solutions were discussed on the original thread, but
> > were not finished. Recently a set of patches[3] has been re-proposed to fix
> > this issue. Regardless, it should probably get its own CVE assigned.
> > 
> > Thanks,
> > 
> > -Kees
> > 
> > [1] https://lkml.org/lkml/2010/8/27/429
> > [2] http://git.kernel.org/linus/1b528181b2ffa14721fb28ad1bd539fe1732c583
> > [3] https://lkml.org/lkml/2011/2/25/227
> 
> Sorry, Nelson Elhage pointed out to me that I missed the fix for this
> issue. The issue was been fixed with:
> http://git.kernel.org/linus/3c77f845722158206a7209c45ccddc264d19319c
> 
> This was already assigned as CVE-2010-4243
> 
> Sorry for the noise, and thanks!

Wait, I will continue to make more noise. The upstream commit
3c77f845722158206a7209c45ccddc264d19319c does not handle the compat case,
which https://lkml.org/lkml/2011/2/25/227 is trying to handle.

Does this need its own CVE?

Thanks,

-Kees

-- 
Kees Cook
Ubuntu Security Team
[prev in list] [next in list] [prev in thread] [next in thread]