oss-sec mailing list archives

Re: CVE request: kernel: btrfs heap overflow

From: Eugene Teo <eugene () redhat com>
Date: Wed, 09 Feb 2011 23:20:36 +0800

On 02/09/2011 10:27 PM, Dan Rosenberg wrote:

Commit bf5fc093c5b625e4259203f1cee7ca73488a5620 refactored
btrfs_ioctl_space_info() and introduced security issues.  Since they
were all introduced at once and fixed at the same time, one CVE should
suffice.

Due to integer truncation or a signedness error in a typecasted
comparison, an integer overflow in an allocation size calculation, and
a failure to properly check bounds when copying data, it was possible
for an unprivileged user to cause a denial-of-service due to writing
to an invalid pointer (ZERO_SIZE_PTR) or cause a kernel heap overflow.

-Dan

[1] http://marc.info/?l=linux-kernel&m=129726078708425&w=2

Commit bf5fc093c was introduced very recently - v2.6.37-rc1 Sept lastyear. Do we have commercially supported kernels that are affected by this?


Thanks, Eugene

Current thread:

CVE request: kernel: btrfs heap overflow Dan Rosenberg (Feb 09)
- Re: CVE request: kernel: btrfs heap overflow Eugene Teo (Feb 09)
  - Re: CVE request: kernel: btrfs heap overflow Dan Rosenberg (Feb 09)
    - Re: CVE request: kernel: btrfs heap overflow Eugene Teo (Feb 09)
    - Re: CVE request: kernel: btrfs heap overflow Eugene Teo (Feb 09)
    - Re: CVE request: kernel: btrfs heap overflow Steven M. Christey (Feb 10)
    - Re: CVE request: kernel: btrfs heap overflow Stéphane Gaudreault (Feb 09)
    - Re: CVE request: kernel: btrfs heap overflow Moritz Muehlenhoff (Feb 09)
    - Re: CVE request: kernel: btrfs heap overflow Greg KH (Feb 09)
- Re: CVE request: kernel: btrfs heap overflow Eugene Teo (Feb 21)