Home page logo
/

oss-sec logo oss-sec mailing list archives

CVE request: kernel: two bluetooth and one ebtables infoleaks/DoSes
From: Vasiliy Kulikov <segoon () openwall com>
Date: Mon, 28 Feb 2011 22:48:36 +0300

Hi,

"struct sco_conninfo has one padding byte in the end.  Local variable
cinfo of type sco_conninfo is copied to userspace with this
uninizialized one byte, leading to old stack contents leak."

https://lkml.org/lkml/2011/2/14/49


"Struct ca is copied from userspace.  It is not checked whether the
"device" field is NULL terminated.  This potentially leads to BUG()
inside of alloc_netdev_mqs() and/or information leak by creating a
device with a name made of contents of kernel stack."

https://lkml.org/lkml/2011/2/14/50


"Struct tmp is copied from userspace.  It is not checked whether the
"name" field is NULL terminated.  This may lead to buffer overflow and
passing contents of kernel stack as a module name to
try_then_request_module() and, consequently, to modprobe commandline.
It would be seen by all userspace processes."

https://lkml.org/lkml/2011/2/14/51


The vulnerable code was written before the "git epoch".  One needs
CAP_NET_ADMIN to exploit the 2nd and the 3rd.


JFI, the patch to prevent the panic inside of alloc_netdev() (to prevent
analogues of #2) was rejected by upstream:

https://lkml.org/lkml/2011/2/14/52


Thanks,

-- 
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault