Re: CVE request -- kernel: macvtap: zerocopy: vector length is not validated before pinning user pages

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/19/2012 08:28 AM, Petr Matousek wrote:
> Currently we do not validate the vector length before calling 
> get_user_pages_fast(), host stack could be easily overflowed by 
> malicious guest driver who gives us a descriptors with length
> greater than MAX_SKB_FRAGS.
>
> A privileged guest user could use this flaw to induce stack
> overflow on the host with attacker non-controlled data (some bits
> can be guessed, as it will be pointers to kernel memory) but with
> attacker controlled length.
>
> Proposed fix thread: 
> http://marc.info/?l=linux-netdev&m=133455718001608&w=2
>
> References: https://bugzilla.redhat.com/show_bug.cgi?id=814278
>
> Thanks,

Please use CVE-2012-2119 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPkCqfAAoJEBYNRVNeJnmTeNkP/153dMhF0c6w3gixH+SioOx+
yOfM0eJRm2lG7qwaAyZI5J280IfuaTDDTG86eTrlNi66W25FVBTmgnHayN1PvTHT
t3/ZUmu0jCdzfwbzNfAIuhv0RHgMSiVGb+ixaCZNv9zA80l7ltIKbQnKxADQlgzK
THNzS+HiPCAgdaSGi3TfkOkhSnXDXS3HTFgfsHF0NZVS7ES5sd7wIjYnHRl72Ybf
1oFDhFNZMFOj7Vnm0+ESPMzAJW+MdQDpA5HmKAMuA3rSUhVhccMgXIg3JjMg3g2W
mqjrYgXllL1QzFyJ/3BaApcZH8+j75g3onII6Bh5RQ7tiYnDtdrr/U7XiTWCE6/I
dQS4VSQTMoVZj4gN5JxO65gQunhTvrx4k1LM1s14nk5C3TNQf+WREqWKBwPhU06x
/HzfMboCpAfu7blycKdTj1Ol+be2GeIMdyJIrRWLMYDvrx7mSbxFTesUAdJTGcQg
ck3uVxw3yY7XFWXd7F7SS2acTDZJVBE4kbm7F3xOHRjR1/deHjOVcaJ81fzSH34e
xP6syJsmNjxBTTQzC2wmoTeR9EiwjP/LHpb65kwLRCbD8B0qlY7b1E1x4sNkjjCB
DQLGGC0W2n+mWQvaMlD6E9R+rs/cHVCmjkvjz0eQvGZm2I3NlljuL1H5NGsDcMJC
Ne2SCBJcF86Hl5o1lq8n
=pZNZ
-----END PGP SIGNATURE-----