[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE request -- kernel: proc: signedness issue
From: Eugene Teo <eugene () redhat ! com>
Date: 2011-04-20 0:58:23
Message-ID: 4DAE2FAF.60807 () redhat ! com
[Download RAW message or body]
On 04/19/2011 07:54 PM, Petr Matousek wrote:
> "A signedness issue has been found in next_pidmap() function when the "last"
> parameter is negative as next_pidmap() just quietly accepted whatever
> "last" pid that was passed in, which is not all that safe when one of the
> users is /proc.
>
> Setting f_pos to negative value when accessing /proc via readdir()/getdents()
> resulted in sign extension of this value when map pointer was being
> constructed.
>
> This later lead to #GP because the final pointer was not canonical (x86_64)."
>
> References:
> https://bugzilla.redhat.com/show_bug.cgi?id=697822
> http://groups.google.com/group/fa.linux.kernel/browse_thread/thread/93c1088451fd3522/4a28ecb7f755a88d?#4a28ecb7f755a88d
>
> Upstream commit:
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c78193e9
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d8bdc59f
Use CVE-2011-1593.
Eugene
--
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic