First published: Tue Sep 28 2010(Updated: )
Description of problem: The PKT_CTRL_CMD_STATUS device ioctl retrieves a pointer to a pktcdvd_device from the global pkt_devs array. The index into this array is provided directly by the user and is a signed integer, so the comparison to ensure that it falls within the bounds of this array will fail when provided with a negative index. This can be used to read arbitrary kernel memory or cause a crash due to an invalid pointer dereference. This can be exploited by users with permission to open /dev/pktcdvd/control (on many distributions, this is readable by group "cdrom"). Upstream commit: <a href="http://git.kernel.org/linus/252a52aa4fa22a668f019e55b3aac3ff71ec1c29">http://git.kernel.org/linus/252a52aa4fa22a668f019e55b3aac3ff71ec1c29</a>
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
debian/linux-2.6 | ||
Linux Linux kernel | <2.6.36 | |
Linux Linux kernel | =2.6.36 | |
Linux Linux kernel | =2.6.36-rc1 | |
Linux Linux kernel | =2.6.36-rc2 | |
Linux Linux kernel | =2.6.36-rc3 | |
Linux Linux kernel | =2.6.36-rc4 | |
Linux Linux kernel | =2.6.36-rc5 | |
openSUSE openSUSE | =11.2 | |
openSUSE openSUSE | =11.3 | |
SUSE Linux Enterprise Desktop | =10-sp3 | |
SUSE Linux Enterprise Desktop | =11-sp1 | |
Suse Linux Enterprise Real Time Extension | =11-sp1 | |
SUSE Linux Enterprise Server | =9 | |
SUSE Linux Enterprise Server | =10-sp3 | |
SUSE Linux Enterprise Server | =11-sp1 | |
SUSE Linux Enterprise Software Development Kit | =10-sp3 | |
Debian Debian Linux | =5.0 | |
Canonical Ubuntu Linux | =6.06 | |
Canonical Ubuntu Linux | =8.04 | |
Canonical Ubuntu Linux | =9.04 | |
Canonical Ubuntu Linux | =9.10 | |
Canonical Ubuntu Linux | =10.04 | |
Canonical Ubuntu Linux | =10.10 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.