[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE request: kernel (ARM): heap corruption in OABI semtimedop
From:       Dan Rosenberg <dan.j.rosenberg () gmail ! com>
Date:       2011-04-29 15:24:54
Message-ID: BANLkTi=Ny1zUc1B2OYmON9JtU+weG2w35g () mail ! gmail ! com
[Download RAW message or body]

The OABI wrapper for semtimedop does not bound the nsops argument.  A
sufficiently large value will cause an integer overflow in allocation
size, followed by copying too much data into the allocated buffer.
This only affects ARM systems with CONFIG_OABI_COMPAT set.

This is exploitable for local privilege escalation, but successful
exploitation requires winning a race.  Because user-to-kernel copy
functions on ARM zero the destination buffer even on failure to access
the provided user pointer, the copy loop in the vulnerable function
that causes the overflow will zero out large amounts of kernel heap if
not interrupted, crashing the system.  This should be possible to work
around though.

-Dan

[1] http://marc.info/?l=linux-kernel&m=130408851326428&w=2
[prev in list] [next in list] [prev in thread] [next in thread]