|
oss-sec
mailing list archives
CVE request: kernel: two bluetooth and one ebtables infoleaks/DoSes
From: Vasiliy Kulikov <segoon () openwall com>
Date: Mon, 28 Feb 2011 22:48:36 +0300
Hi,
"struct sco_conninfo has one padding byte in the end. Local variable
cinfo of type sco_conninfo is copied to userspace with this
uninizialized one byte, leading to old stack contents leak."
https://lkml.org/lkml/2011/2/14/49
"Struct ca is copied from userspace. It is not checked whether the
"device" field is NULL terminated. This potentially leads to BUG()
inside of alloc_netdev_mqs() and/or information leak by creating a
device with a name made of contents of kernel stack."
https://lkml.org/lkml/2011/2/14/50
"Struct tmp is copied from userspace. It is not checked whether the
"name" field is NULL terminated. This may lead to buffer overflow and
passing contents of kernel stack as a module name to
try_then_request_module() and, consequently, to modprobe commandline.
It would be seen by all userspace processes."
https://lkml.org/lkml/2011/2/14/51
The vulnerable code was written before the "git epoch". One needs
CAP_NET_ADMIN to exploit the 2nd and the 3rd.
JFI, the patch to prevent the panic inside of alloc_netdev() (to prevent
analogues of #2) was rejected by upstream:
https://lkml.org/lkml/2011/2/14/52
Thanks,
--
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments
 By Date 
By Thread
Current thread:
- CVE request: kernel: two bluetooth and one ebtables infoleaks/DoSes Vasiliy Kulikov (Feb 28)
|
