blob: 0e61321b0896a777bd49aefeed100b9faa184a6e (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
Description: selinux: fix off-by-one in setprocattr
References:
Notes:
carnil> Possibly introduced in 3.5-rc1 with d6ea83ec6864e9297fa8b00ec3dae183413a90e3
bwh> The off-by-one error was introduced in Linux 2.6.12 (just before
bwh> the switch to git), as a (very minor) information leak. The above
bwh> commit increased the security impact - writing exactly "\n" can
bwh> result in a buffer under-read and oops, which is what this CVE
bwh> describes. Later, commit bb646cdb12e7 "proc_pid_attr_write():
bwh> switch to memdup_user()" reduced the buffer size so there is also
bwh> a buffer over-read. However, I think that has no additional impact
bwh> since even SLOB pads heap allocations to at least 2 bytes.
Bugs:
upstream: released (4.10-rc8) [0c461cb727d146c9ef2d3e86214f498b78b7d125]
4.9-upstream-stable: released (4.9.10) [6cbaf7b94373743deb42fd410173aab81f8945fe]
3.16-upstream-stable: released (3.16.41) [selinux-fix-off-by-one-in-setprocattr.patch]
3.2-upstream-stable: N/A "Vulnerable code not present"
sid: released (4.9.10-1)
3.16-jessie-security: released (3.16.39-1+deb8u1) [bugfix/all/selinux-fix-off-by-one-in-setprocattr.patch]
3.2-wheezy-security: N/A "Vulnerable code not present"
|