oss-sec mailing list archives
Re: CVE-2015-1805 Linux kernel: pipe: iovec overrun leading to memory corruption
From: Solar Designer <solar () openwall com>
Date: Sat, 26 Mar 2016 17:52:11 +0300
On Tue, Mar 22, 2016 at 11:58:39PM +0300, Solar Designer wrote:
The primary reason I am posting this is so that other distros know the vulnerability was apparently shown to be exploitable.
And that's not the end of the story: https://lwn.net/SubscriberLink/681062/b974fb24a6c4617b/ "Posted Mar 25, 2016 13:23 UTC (Fri) by BenHutchings (subscriber, #37955) [Link] Unfortunately the fix by Seth Jennings for RHEL, later applied to stable branches, was still incorrect, leading to CVE-2016-0774. I hope AOSP picks up the second fix as well." https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0774 "Petr Matousek 2016-02-02 09:34:35 EST It was found that the fix for CVE-2015-1805 incorrectly kept buffer offset and buffer length in sync on failed atomic read, potentially resulting in pipe buffer state corruption. A local, unprivileged user could use this flaw to crash the system or leak kernel memory to user-space. Upstream Linux kernel is not affected by this flaw as it was introduced by the Red Hat Enterprise Linux only fix for CVE-2015-1805. Acknowledgements: The security impact of this issue was discovered by Red Hat." Alexander
Current thread:
- Re: CVE-2015-1805 Linux kernel: pipe: iovec overrun leading to memory corruption Solar Designer (Mar 22)
- Re: CVE-2015-1805 Linux kernel: pipe: iovec overrun leading to memory corruption Scotty Bauer (Mar 22)
- Re: CVE-2015-1805 Linux kernel: pipe: iovec overrun leading to memory corruption Solar Designer (Mar 22)
- Re: CVE-2015-1805 Linux kernel: pipe: iovec overrun leading to memory corruption Daniel Micay (Mar 22)
- Re: CVE-2015-1805 Linux kernel: pipe: iovec overrun leading to memory corruption Solar Designer (Mar 26)
- Re: CVE-2015-1805 Linux kernel: pipe: iovec overrun leading to memory corruption Scotty Bauer (Mar 22)