Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE request: multiple kernel stack memory disclosures
From: "Steven M. Christey" <coley () linus mitre org>
Date: Mon, 25 Oct 2010 17:52:36 -0400 (EDT)



All,

I apologize for taking so long to handle this.  Dan, thanks for being
so diligent about digging up more information!  That couldn't have
been easy, let alone fun.

- Steve


========================================================================

http://www.openwall.com/lists/oss-security/2010/10/07/1

Author: Dan Rosenberg


 ipc/shm.c (shmctl), reported and fixed by Kees Cook
 Affects >= 2.6.0, >= 2.4.0

 Reference:
 http://lkml.org/lkml/2010/10/6/454

CVE-2010-4072


 ipc/compat.c (compat versions of semctl, shmctl, and msgctl)
 Affects >= 2.6.8

 ipc/compat_mq (compat versions of mq_open and mq_getsetattr)
 Affects >= 2.6.8

 Reference:
 http://lkml.org/lkml/2010/10/6/492

CVE-2010-4073


========================================================================

http://www.openwall.com/lists/oss-security/2010/10/06/6

Author: Dan Rosenberg

Due to the high variation in affected kernel versions, most of these
are SPLIT.



TIOCGICOUNT stack leaks:

(see http://lkml.org/lkml/2010/9/16/294)

 usb/serial/mos*.c
 Fixed in 2.6.36-rc5
 Affects >= 2.6.19

CVE-2010-4074


drivers/serial/serial_core.c
Not fixed yet (Alan Cox's fix will be in 2.6.37)
Affects >= 2.6.0


CVE-2010-4075


drivers/char/amiserial.c
Not fixed yet (Alan Cox's fix will be in 2.6.37)
Affects >= 2.6.0, >= 2.4.0


CVE-2010-4076

drivers/char/nozomi.c
Not fixed yet (Alan Cox's fix will be in 2.6.37)
Affects >= 2.6.25

CVE-2010-4077


drivers/net/usb/hso.c (CVE-2010-3298)
Fixed in 2.6.36-rc5
Affects >= 2.6.29

Already assigned - CVE-2010-3298


FBIOGET_VBLANK stack leaks:


drivers/video/sis/sis_main.c
Fixed in 2.6.36-rc6
Affects >= 2.6.11

CVE-2010-4078


drivers/video/ivtv/ivtvfb.c
Not fixed yet (patch has been queued)
Affects >= 2.6.24

CVE-2010-4079


Miscellaneous device ioctl stack leaks:

sound/pci/rme9652/hdsp*.c
Fixed in 2.6.36-rc6
Affects >= 2.6.0 (hdsp.c), >= 2.6.13 (hdspm.c)

These are SPLIT because the affected files are in different versions.

hdsp.c - CVE-2010-4080

hdspm.c - CVE-2010-4081


drivers/video/via/ioctl.c
Fixed in 2.6.36-rc5
Affects >= 2.6.28

CVE-2010-4082


drivers/net/cxgb3/cxgb3_main.c (CVE-2010-3296)
Fixed in 2.6.36-rc5
Affects >= 2.6.21


Already assigned - CVE-2010-3296


drivers/net/eql.c (CVE-2010-3297)
Fixed in 2.6.36-rc5
Affects >= 2.6.0, >= 2.4.0


Already assigned - CVE-2010-3297


System call stack leak:

ipc/sem.c
Not fixed yet (patch queued)
Affects >= 2.6.0, >= 2.4.0

Presumably the lack of a current patch means this will affect a
different version than CVE-2010-4072 (ipc/shm.c shmctl), see above.

CVE-2010-4083


- Steve


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]