blob: 528110de44d0f945e57eab40d0bfa7245d661787 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
Candidate: CVE-2010-3437
Description:
> ----- "Eugene Teo" <eugeneteo@kernel.sg> wrote:
> As Dan Rosenberg explained in the patch commit: The PKT_CTRL_CMD_STATUS
> device ioctl retrieves a pointer to a pktcdvd_device from the global
> pkt_devs array. The index into this array is provided directly by the
>
> user and is a signed integer, so the comparison to ensure that it falls
> within the bounds of this array will fail when provided with a
> negative index.
>
> This can be used to read arbitrary kernel memory or cause a crash due to
> an invalid pointer dereference. This can be exploited by users with
> permission to open /dev/pktcdvd/control (on many distributions, this is
> readable by group "cdrom").
References:
https://bugzilla.redhat.com/show_bug.cgi?id=638085
Notes:
exploit: http://jon.oberheide.org/files/cve-2010-3437.c
only an info disclosure, but seems to be able to dump any/all kernel memory
jmm> Submitted for 2.6.32.x on 2010-01-10.
Bugs:
upstream: released (2.6.36-rc6) [252a52aa4fa22a668f019e55b3aac3ff71ec1c29]
2.6.32-upstream-stable: released (2.6.32.30)
linux-2.6: released (2.6.32-25) [bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch]
2.6.26-lenny-security: released (2.6.26-26lenny1) [bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch]
2.6.32-squeeze-security: released (2.6.32-25) [bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch]
|
