[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE request: kernel: heap corruption in IrDA
From: Eugene Teo <eugene () redhat ! com>
Date: 2011-03-22 7:24:23
Message-ID: 4D884EA7.7060400 () redhat ! com
[Download RAW message or body]
On 03/22/2011 07:18 AM, Dan Rosenberg wrote:
> On Mon, Mar 21, 2011 at 12:59 AM, Eugene Teo<eugene@redhat.com> wrote:
>> On 03/21/2011 03:26 AM, Dan Rosenberg wrote:
>>>
>>> When providing an invalid IrDA nickname for an IrNET peer, a local
>>> attacker can cause a kernel panic due to an underflow in a memcpy()
>>> size calculation or cause a controllable heap overflow that may lead
>>> to privilege escalation. Write access to the /dev/irnet device file
>>> is required to trigger the vulnerability.
>>>
>>> Reference:
>>> http://marc.info/?l=linux-netdev&m=130060169116047&w=2
>>
>> The default permissions for /dev/irnet is root-read/write only. In the past
>> I have ignored such issues that can only be triggered by root, even though
>> the permissions can be changed. I wouldn't assign a CVE name for this. CC'ed
>> Steve.
>
> Fair enough, I should probably have been more clear about the exact
> impact of the flaw. But given recent discussions about hardening the
> kernel even against the root user, it seems like reliably triggered
wrt to capabilities.
> kernel memory corruption of any kind enables crossing some security
> boundary, so this may still deserve a CVE - just one with a
> description that accurately reflects the relatively less common attack
> scenario.
Yes, but it can't be triggered by a local, unprivileged user.
Eugene
--
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic