Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE Request -- Linux kernel: sctp: SCTP_GET_ASSOC_STATS stack overflow
From: Petr Matousek <pmatouse () redhat com>
Date: Fri, 8 Mar 2013 04:47:44 +0100

It's stack buffer overflow, not stack overflow, sorry.

On Fri, Mar 08, 2013 at 04:23:49AM +0100, Petr Matousek wrote:
A local user could use the missing size check in
sctp_getsockopt_assoc_stats() function to escalate their privileges. On
x86 this might be mitigated by destination object size check as the
destination size is known at compile time.

Upstream fix:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=726bc6b0

Introduced by:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=196d6759

Introduced in:
v3.8-rc1

References:
https://twitter.com/grsecurity/status/309805924749541376
http://grsecurity.net/~spender/sctp.c

https://bugzilla.redhat.com/show_bug.cgi?id=919315

Thanks,
-- 
Petr Matousek / Red Hat Security Response Team


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]