Home page logo
/

oss-sec logo oss-sec mailing list archives

CVE request -- Linux kernel: call_console_drivers() Function Log Prefix Stripping buffer overflow
From: Petr Matousek <pmatouse () redhat com>
Date: Tue, 26 Feb 2013 12:39:05 +0100

A buffer overflow flaw was found in kernels from 3.0 to 3.4 when calling
log_prefix() function from call_console_drivers().
    
This bug existed in previous releases but has been revealed with commit
162a7e7500f9664636e649ba59defe541b7c2c60 (2.6.39 => 3.0) that made
changes about how to allocate memory for early printk buffer (use of
memblock_alloc). It disappears with commit
7ff9554bb578ba02166071d2d487b7fc7d860d62 (3.4 => 3.5) that does a
refactoring of printk buffer management.

In log_prefix(), the access to "p[0]", "p[1]", "p[2]" or
"simple_strtoul(&p[1], &endp, 10)" may cause a buffer overflow as this
function is called from call_console_drivers by passing
"&LOG_BUF(cur_index)" where the index must be masked to do not exceed
the buffer's boundary.

Note: /dev/kmsg is root writable only (at least on RHEL/Fedora), but it
still might cause issues in restricted root environments.

References:
https://bugs.gentoo.org/458780
https://secunia.com/advisories/52366/

Thanks,
-- 
Petr Matousek / Red Hat Security Response Team


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]