'Re: [oss-security] CVE request -- kernel: macvtap: zerocopy: vector length is not validated before p'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request -- kernel: macvtap: zerocopy: vector length is not validated before p
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2012-04-19 15:09:19
Message-ID: 4F902A9F.4060309 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/19/2012 08:28 AM, Petr Matousek wrote:
> Currently we do not validate the vector length before calling 
> get_user_pages_fast(), host stack could be easily overflowed by 
> malicious guest driver who gives us a descriptors with length
> greater than MAX_SKB_FRAGS.
> 
> A privileged guest user could use this flaw to induce stack
> overflow on the host with attacker non-controlled data (some bits
> can be guessed, as it will be pointers to kernel memory) but with
> attacker controlled length.
> 
> Proposed fix thread: 
> http://marc.info/?l=linux-netdev&m=133455718001608&w=2
> 
> References: https://bugzilla.redhat.com/show_bug.cgi?id=814278
> 
> Thanks,

Please use CVE-2012-2119 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPkCqfAAoJEBYNRVNeJnmTeNkP/153dMhF0c6w3gixH+SioOx+
yOfM0eJRm2lG7qwaAyZI5J280IfuaTDDTG86eTrlNi66W25FVBTmgnHayN1PvTHT
t3/ZUmu0jCdzfwbzNfAIuhv0RHgMSiVGb+ixaCZNv9zA80l7ltIKbQnKxADQlgzK
THNzS+HiPCAgdaSGi3TfkOkhSnXDXS3HTFgfsHF0NZVS7ES5sd7wIjYnHRl72Ybf
1oFDhFNZMFOj7Vnm0+ESPMzAJW+MdQDpA5HmKAMuA3rSUhVhccMgXIg3JjMg3g2W
mqjrYgXllL1QzFyJ/3BaApcZH8+j75g3onII6Bh5RQ7tiYnDtdrr/U7XiTWCE6/I
dQS4VSQTMoVZj4gN5JxO65gQunhTvrx4k1LM1s14nk5C3TNQf+WREqWKBwPhU06x
/HzfMboCpAfu7blycKdTj1Ol+be2GeIMdyJIrRWLMYDvrx7mSbxFTesUAdJTGcQg
ck3uVxw3yY7XFWXd7F7SS2acTDZJVBE4kbm7F3xOHRjR1/deHjOVcaJ81fzSH34e
xP6syJsmNjxBTTQzC2wmoTeR9EiwjP/LHpb65kwLRCbD8B0qlY7b1E1x4sNkjjCB
DQLGGC0W2n+mWQvaMlD6E9R+rs/cHVCmjkvjz0eQvGZm2I3NlljuL1H5NGsDcMJC
Ne2SCBJcF86Hl5o1lq8n
=pZNZ
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic