[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request -- kernel: proc: signedness issue
From:       Eugene Teo <eugene () redhat ! com>
Date:       2011-04-20 0:58:23
Message-ID: 4DAE2FAF.60807 () redhat ! com
[Download RAW message or body]

On 04/19/2011 07:54 PM, Petr Matousek wrote:
> "A signedness issue has been found in next_pidmap() function when the "last"
> parameter is negative as next_pidmap() just quietly accepted whatever
> "last" pid that was passed in, which is not all that safe when one of the
> users is /proc.
> 
> Setting f_pos to negative value when accessing /proc via readdir()/getdents()
> resulted in sign extension of this value when map pointer was being
> constructed.
> 
> This later lead to #GP because the final pointer was not canonical (x86_64)."
> 
> References:
> https://bugzilla.redhat.com/show_bug.cgi?id=697822
> http://groups.google.com/group/fa.linux.kernel/browse_thread/thread/93c1088451fd3522/4a28ecb7f755a88d?#4a28ecb7f755a88d
>  
> Upstream commit:
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c78193e9
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d8bdc59f

Use CVE-2011-1593.

Eugene
-- 
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }


[prev in list] [next in list] [prev in thread] [next in thread]