[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE request: Kernel MSM - Memory leak in drivers/base/genlock.c
From: Seth Arnold <seth.arnold () canonical ! com>
Date: 2013-11-26 1:20:17
Message-ID: 20131126012017.GB26817 () hunt
[Download RAW message or body]
On Tue, Nov 26, 2013 at 12:57:23AM +0000, Christey, Steven M. wrote:
> Kurt said:
>
> >> The Genlock driver does not properly initialize all members of a
> >> structure before copying it to user space. This allows a local
> >> attacker to obtain potentially sensitive information from kernel
> >> stack memory via ioctl system calls.
> >
> >This should be classified as CWE-200 Information Disclosure, "memory
> >leak" refers to memory being used and not released properly, resulting
> >in out of memory conditions.
>
> In CWE, we discourage the "memory leak" term because it has multiple
> meanings and interpretations: (1) that memory is allocated but never
> released, or (2) that sensitive portions of memory are accidentally
> disclosed to untrusted parties.
>
> This request sounds like variant (2) of the varying uses of the "memory
> leak" term, although Kurt's interpretation seems to be that it's about
> variant (1), which further reinforces my personal desire to see that
> term go away forever.
I wrote a response to Kurt, suggesting that he had mis-diagnosed the
problem but did not send my response when I found that his message said
the same thing mine said once you replace his first ',' with a ';'. Try
this instead:
> >This should be classified as CWE-200 Information Disclosure; "memory
> >leak" refers to memory being used and not released properly, resulting
> >in out of memory conditions.
[Kurt's words with the first comma replaced with a semicolon.]
It's amazing what a difference two pixels can make. :)
> Anyway... Note that, as this issue is described, "information
> disclosure" actually results from a root cause in which certain
> locations are not properly initialized. Thus CWE-665: Improper
> Initialization (or its child CWE-457 Use of Uninitialized Variable) are
> probably more appropriate characterizations of the core issue; in this
> case, it happens to lead to memory disclosure, but in other cases, it
> might lead to privilege escalation or other consequences (depending on
> how the uninitialized data is used.)
I came up with CWE 212 before I properly parsed Kurt's mail:
CWE-212: Improper Cross-boundary Removal of Sensitive Data
With so much to chose from it's surprising the fix is one line of code. :)
Thanks
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic