oss-security February 2011 archive
Main Archive Page > Month Archives  > oss-security archives
oss-security: [oss-security] CVE request: kernel: two bluetooth

[oss-security] CVE request: kernel: two bluetooth and one ebtables infoleaks/DoSes

From: Vasiliy Kulikov <segoon_at_nospam>
Date: Mon Feb 28 2011 - 19:48:36 GMT
To: oss-security@lists.openwall.com

Hi,

"struct sco_conninfo has one padding byte in the end. Local variable
cinfo of type sco_conninfo is copied to userspace with this
uninizialized one byte, leading to old stack contents leak."

https://lkml.org/lkml/2011/2/14/49

"Struct ca is copied from userspace. It is not checked whether the
"device" field is NULL terminated. This potentially leads to BUG()
inside of alloc_netdev_mqs() and/or information leak by creating a
device with a name made of contents of kernel stack."

https://lkml.org/lkml/2011/2/14/50

"Struct tmp is copied from userspace. It is not checked whether the
"name" field is NULL terminated. This may lead to buffer overflow and
passing contents of kernel stack as a module name to
try_then_request_module() and, consequently, to modprobe commandline.
It would be seen by all userspace processes."

https://lkml.org/lkml/2011/2/14/51

The vulnerable code was written before the "git epoch". One needs
CAP_NET_ADMIN to exploit the 2nd and the 3rd.

JFI, the patch to prevent the panic inside of alloc_netdev() (to prevent
analogues of #2) was rejected by upstream:

https://lkml.org/lkml/2011/2/14/52

Thanks,

-- Vasiliy Kulikov http://www.openwall.com - bringing security into open computing environments