|
Message-ID: <BANLkTi=Ny1zUc1B2OYmON9JtU+weG2w35g@mail.gmail.com> Date: Fri, 29 Apr 2011 11:24:54 -0400 From: Dan Rosenberg <dan.j.rosenberg@...il.com> To: oss-security@...ts.openwall.com Subject: CVE request: kernel (ARM): heap corruption in OABI semtimedop The OABI wrapper for semtimedop does not bound the nsops argument. A sufficiently large value will cause an integer overflow in allocation size, followed by copying too much data into the allocated buffer. This only affects ARM systems with CONFIG_OABI_COMPAT set. This is exploitable for local privilege escalation, but successful exploitation requires winning a race. Because user-to-kernel copy functions on ARM zero the destination buffer even on failure to access the provided user pointer, the copy loop in the vulnerable function that causes the overflow will zero out large amounts of kernel heap if not interrupted, crashing the system. This should be possible to work around though. -Dan [1] http://marc.info/?l=linux-kernel&m=130408851326428&w=2
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.