[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: kernel: multiple issues in ROSE
From:       Dan Rosenberg <dan.j.rosenberg () gmail ! com>
Date:       2011-03-30 17:26:43
Message-ID: AANLkTin4pfxJma9Ev+ygaZ-ceXcXnCNHdTS7kFr0hG-6 () mail ! gmail ! com
[Download RAW message or body]

Any update on this?

Thanks,
Dan

On Mon, Mar 21, 2011 at 12:47 AM, Eugene Teo <eugene@redhat.com> wrote:
> On 03/21/2011 03:40 AM, Dan Rosenberg wrote:
>>
>> I sent in a patch [1] resolving two issues in ROSE:
>>
>> "When parsing the FAC_NATIONAL_DIGIS facilities field, it's possible
>> for a remote host to provide more digipeaters than expected, resulting
>> in heap corruption.  Check against ROSE_MAX_DIGIS to prevent
>> overflows, and abort facilities parsing on failure.
>>
>> Additionally, when parsing the FAC_CCITT_DEST_NSAP and
>> FAC_CCITT_SRC_NSAP facilities fields, a remote host can provide a
>> length of less than 10, resulting in an underflow in a memcpy size,
>> causing a kernel panic due to massive heap corruption.  A length of
>> greater than 20 results in a stack overflow of the callsign array.
>> Abort facilities parsing on these invalid length values."
>>
>> These issues may both result in code execution.  They may be triggered
>> by a remote attacker if the victim has a listening ROSE socket, or by
>> a local attacker (for privilege escalation) if a ROSE device exists
>> (e.g. rose0).
>>
>> Ben Hutchings followed up with a patch [2] that resolves a number of
>> other ROSE issues related to lack of size field validation, some of
>> which may also result in heap corruption.
>>
>> Not sure about the proper CVE breakdown for all these issues, since
>> the entire protocol was quite broken.  Perhaps one is enough to cover
>> everything.
>
> I am not sure. I would just assign one for the collection of issues here but
> I will let Steve decide instead.
>
>> [1] http://marc.info/?l=linux-netdev&m=130060344616926
>> [2] http://marc.info/?l=linux-netdev&m=130063972406389&w=2
>
> Thanks, Eugene
> --
> main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }
>

[prev in list] [next in list] [prev in thread] [next in thread]