'Re: [oss-security] CVE request: Kernel MSM - Memory leak in drivers/base/genlock.c'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: Kernel MSM - Memory leak in drivers/base/genlock.c
From:       Seth Arnold <seth.arnold () canonical ! com>
Date:       2013-11-26 1:20:17
Message-ID: 20131126012017.GB26817 () hunt
[Download RAW message or body]


On Tue, Nov 26, 2013 at 12:57:23AM +0000, Christey, Steven M. wrote:
> Kurt said:
> 
> >> The Genlock driver does not properly initialize all members of a
> >> structure before copying it to user space. This allows a local
> >> attacker to obtain potentially sensitive information from kernel
> >> stack memory via ioctl system calls.
> >
> >This should be classified as CWE-200 Information Disclosure, "memory
> >leak" refers to memory being used and not released properly, resulting
> >in out of memory conditions.
> 
> In CWE, we discourage the "memory leak" term because it has multiple
> meanings and interpretations: (1) that memory is allocated but never
> released, or (2) that sensitive portions of memory are accidentally
> disclosed to untrusted parties.
> 
> This request sounds like variant (2) of the varying uses of the "memory
> leak" term, although Kurt's interpretation seems to be that it's about
> variant (1), which further reinforces my personal desire to see that
> term go away forever.

I wrote a response to Kurt, suggesting that he had mis-diagnosed the
problem but did not send my response when I found that his message said
the same thing mine said once you replace his first ',' with a ';'. Try
this instead:

> >This should be classified as CWE-200 Information Disclosure; "memory
> >leak" refers to memory being used and not released properly, resulting
> >in out of memory conditions.

[Kurt's words with the first comma replaced with a semicolon.]

It's amazing what a difference two pixels can make. :)

> Anyway... Note that, as this issue is described, "information
> disclosure" actually results from a root cause in which certain
> locations are not properly initialized.  Thus CWE-665: Improper
> Initialization (or its child CWE-457 Use of Uninitialized Variable) are
> probably more appropriate characterizations of the core issue; in this
> case, it happens to lead to memory disclosure, but in other cases, it
> might lead to privilege escalation or other consequences (depending on
> how the uninitialized data is used.)

I came up with CWE 212 before I properly parsed Kurt's mail:
CWE-212: Improper Cross-boundary Removal of Sensitive Data

With so much to chose from it's surprising the fix is one line of code. :)


Thanks

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic