[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request - kernel: char: Int overflow in lp_do_ioctl()
From:       Greg KH <greg () kroah ! com>
Date:       2013-12-31 7:05:01
Message-ID: 20131231070501.GA5874 () kroah ! com
[Download RAW message or body]

On Tue, Dec 31, 2013 at 02:33:57PM +0800, Yongjian Xu wrote:
> Hi,
> 
> https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git/commit/?id=1c2de820d66d704c7d6fffdd872b7670eb4e29bb
>  
> This is an integer overflow, and can be controlled via ioctl.
> 
> arg comes from user-space, so int overflow may occur in this:
> LP_TIME(minor) = arg * HZ/100;

What exactly can happen if you set that value to a really high number?
(hint, I really don't think anything happens at all, no matter what you
set that value to...)

How does this warrent a CVE?

thanks,

greg k-h


[prev in list] [next in list] [prev in thread] [next in thread]