oss-security January 2011 archive
Main Archive Page > Month Archives  > oss-security archives
oss-security: [oss-security] Re: [PATCH] acpi: debugfs: fix buff

[oss-security] Re: [PATCH] acpi: debugfs: fix buffer overflows, double free

From: Vasiliy Kulikov <segoon_at_nospam>
Date: Mon Jan 24 2011 - 18:37:59 GMT
To: "Steven M. Christey" <coley@rcf-smtp.mitre.org>

On Sat, Jan 22, 2011 at 15:13 -0500, Steven M. Christey wrote:
>
> On Fri, 21 Jan 2011, Eugene Teo wrote:
>
> >On 01/21/2011 04:08 AM, Vasiliy Kulikov wrote:
> >>File position is not controlled, it may lead to overwrites of arbitrary
> >>kernel memory. Also the code may kfree() the same pointer multiple
> >>times.
> >
> >http://lkml.org/lkml/2011/1/20/348
> >https://bugzilla.redhat.com/CVE-2011-0023
> >
> >Please use CVE-2011-0023 (this does not include the unresolved
> >flaw described in the following paragraph below).
>
> There seem to be 2 types of issues described above - the
> uncontrolled file position / memory overwrite, and a "double free".

If you want to count every bug in this code, here you are: if zero *ppos
after each write() then buf is leaked :-)

> So there should probably be 2 separate CVEs, not one. Am I missing
> something?
>
> - Steve

-- Vasiliy Kulikov http://www.openwall.com - bringing security into open computing environments