[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: kernel: heap corruption in IrDA
From:       Eugene Teo <eugene () redhat ! com>
Date:       2011-03-22 7:24:23
Message-ID: 4D884EA7.7060400 () redhat ! com
[Download RAW message or body]

On 03/22/2011 07:18 AM, Dan Rosenberg wrote:
> On Mon, Mar 21, 2011 at 12:59 AM, Eugene Teo<eugene@redhat.com>  wrote:
>> On 03/21/2011 03:26 AM, Dan Rosenberg wrote:
>>>
>>> When providing an invalid IrDA nickname for an IrNET peer, a local
>>> attacker can cause a kernel panic due to an underflow in a memcpy()
>>> size calculation or cause a controllable heap overflow that may lead
>>> to privilege escalation.  Write access to the /dev/irnet device file
>>> is required to trigger the vulnerability.
>>>
>>> Reference:
>>> http://marc.info/?l=linux-netdev&m=130060169116047&w=2
>>
>> The default permissions for /dev/irnet is root-read/write only. In the past
>> I have ignored such issues that can only be triggered by root, even though
>> the permissions can be changed. I wouldn't assign a CVE name for this. CC'ed
>> Steve.
>
> Fair enough, I should probably have been more clear about the exact
> impact of the flaw.  But given recent discussions about hardening the
> kernel even against the root user, it seems like reliably triggered

wrt to capabilities.

> kernel memory corruption of any kind enables crossing some security
> boundary, so this may still deserve a CVE - just one with a
> description that accurately reflects the relatively less common attack
> scenario.

Yes, but it can't be triggered by a local, unprivileged user.

Eugene
-- 
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }
[prev in list] [next in list] [prev in thread] [next in thread]