Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <BANLkTi=Ny1zUc1B2OYmON9JtU+weG2w35g@mail.gmail.com>
Date: Fri, 29 Apr 2011 11:24:54 -0400
From: Dan Rosenberg <dan.j.rosenberg@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE request: kernel (ARM): heap corruption in OABI semtimedop

The OABI wrapper for semtimedop does not bound the nsops argument.  A
sufficiently large value will cause an integer overflow in allocation
size, followed by copying too much data into the allocated buffer.
This only affects ARM systems with CONFIG_OABI_COMPAT set.

This is exploitable for local privilege escalation, but successful
exploitation requires winning a race.  Because user-to-kernel copy
functions on ARM zero the destination buffer even on failure to access
the provided user pointer, the copy loop in the vulnerable function
that causes the overflow will zero out large amounts of kernel heap if
not interrupted, crashing the system.  This should be possible to work
around though.

-Dan

[1] http://marc.info/?l=linux-kernel&m=130408851326428&w=2

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.