lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 22 Oct 2010 09:49:21 -0400 From: Jon Maloy <jon.maloy@...csson.com> To: Dan Rosenberg <drosenberg@...curity.com>, "allan.stephens@...driver.com" <allan.stephens@...driver.com> CC: "security@...nel.org" <security@...nel.org>, "netdev@...r.kernel.org" <netdev@...r.kernel.org> Subject: RE: TIPC security issues Acked. We clearly have a couple of things to fix here. We'll try to get it done asap. ///jon > -----Original Message----- > From: Dan Rosenberg [mailto:drosenberg@...curity.com] > Sent: October-21-10 19:46 > To: Jon Maloy; allan.stephens@...driver.com > Cc: security@...nel.org; netdev@...r.kernel.org > Subject: TIPC security issues > > The tipc_msg_build() function in net/tipc/msg.c is written in > such a way as to create a highly exploitable kernel heap > overflow that would allow a local user to escalate privileges > to root by issuing maliciously crafted sendmsg() calls. At a > minimum, the following issues should be > fixed: > > 1. The tipc_msg_calc_data_size() function is almost totally > broken. It sums together size_t values (iov_lens), but > returns an integer. Two things can go wrong - the total > value can wrap around, or on 64-bit platforms, iov_len values > greater than UINT_MAX will be truncated. > > 2. The comparison of dsz to TIPC_MAX_USER_MSG_SIZE is signed, > so negative (large unsigned) values will pass this check. > > 3. The comparison of sz to max_size is also signed. > > As a result of these issues, it's possible to cause the > allocation of a small heap buffer and the subsequent copying > of a carefully controlled larger amount of data into that buffer. > > I haven't found a Linux distribution that defines a module > alias for TIPC (even though most compile it as a module), so > an administrator will have had to explicitly load the TIPC > module for a system to be vulnerable. > > -Dan > > -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists