oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE Request -- Linux kernel: sctp: SCTP_GET_ASSOC_STATS stack overflow

From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 07 Mar 2013 20:32:03 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/07/2013 08:23 PM, Petr Matousek wrote:

A local user could use the missing size check in 
sctp_getsockopt_assoc_stats() function to escalate their
privileges. On x86 this might be mitigated by destination object
size check as the destination size is known at compile time.

Upstream fix: 
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=726bc6b0

 Introduced by: 
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=196d6759

 Introduced in: v3.8-rc1

References: 
https://twitter.com/grsecurity/status/309805924749541376 
http://grsecurity.net/~spender/sctp.c

Thanks,


Please use CVE-2013-1828 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJROVuzAAoJEBYNRVNeJnmTgrEP/1t7nexDh1neyWVu91vPpLSa
Y4yTteT4upyPE5icg6zobUW6FV/gOxsleduj427zn+uq7IcwspAc3QH3QAjgeaIj
0vlYlD7PBwk9HnIMjH03+ttbJolP7JGdU/Qh43LH+wDoxDI5OfmGNoN3+znpMXKn
vplIYvFtqBsVrk3ead6f4MTPrdvv5+v/kSiXaXBD6GHL0uQP1+RR2XfnkUTiuJhQ
ggd35oUz5IUMGVgwEoLCh93n/KdTq1f80gNZSQU9exjHwS45TQ7iS1bdm5adS4eq
U6QNX9BHTZNGGq3edajHsmdmr/DKsYrul8bzTOWnfjCpdmCLzYQ9GKemvzlTM4+J
E+53TTAFDAkhDzbzNo6TX9jN71Iv4CYHITu3N0qa7PL3Q/B5He/1NRK2Tx5bKJIv
YsJRiojwTg/6hcv+tQEEnrnWeNj0BZeQ8B4RI/Y8uZavuKffG0rZx2/iRtLty/TE
vzMWLuyZgNaIZ6xMF0lTveHUaNYggoCtkLR7crY+s4qeltao1WdARYAWWRM2/2mv
kZBWApR3sQbsNbJtxj4RmEegKaK+Hyoq+SRN/YIGlIzhsAIpuzNUOEj8MCbyZ7T8
E7uQdR9z/BL8wDlmwgcKSGVnLqy9RkoKFGOrPLvTD2RumtwqfcWUQ2T9z/+NT+LP
LxHxLq9KgHOCIxSEfZN6
=Mtxy
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: