CVE request: kernel: two bluetooth and one ebtables infoleaks/DoSes

[Vasiliy Kulikov <segoon () openwall com>]

Hi,

"struct sco_conninfo has one padding byte in the end.  Local variable
cinfo of type sco_conninfo is copied to userspace with this
uninizialized one byte, leading to old stack contents leak."

https://lkml.org/lkml/2011/2/14/49


"Struct ca is copied from userspace.  It is not checked whether the
"device" field is NULL terminated.  This potentially leads to BUG()
inside of alloc_netdev_mqs() and/or information leak by creating a
device with a name made of contents of kernel stack."

https://lkml.org/lkml/2011/2/14/50


"Struct tmp is copied from userspace.  It is not checked whether the
"name" field is NULL terminated.  This may lead to buffer overflow and
passing contents of kernel stack as a module name to
try_then_request_module() and, consequently, to modprobe commandline.
It would be seen by all userspace processes."

https://lkml.org/lkml/2011/2/14/51


The vulnerable code was written before the "git epoch".  One needs
CAP_NET_ADMIN to exploit the 2nd and the 3rd.


JFI, the patch to prevent the panic inside of alloc_netdev() (to prevent
analogues of #2) was rejected by upstream:

https://lkml.org/lkml/2011/2/14/52


Thanks,

-- 
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments