• Salva Peiró
  • Profile
  • Education
  • Publications
  • Projects
  • Archives



[patch] cxt1e1: Correct Arbitrary memory write in c4_ioctl()

by speiro - Mar 03, 2014 - security, kernel, arbitrary, memory write,

Vulnerability Description

The function c4_ioctl() (listed below) writes data from user in ifr->ifr_data to the kernel struct data arg, without performing any bounds checking. This allows using a crafted iocmd to write outside of the struct data arg, where iolen = IOC_SIZE(iocmd) can specify a maximum write size up to 2^14 bytes.

Triggering the write requires CAP_SYS_ADMIN capability but even in the case of having admin rights it should be disallowed.

Update

Starting with gcc-4.0, the gcc compiler allows to retrieve the size of an object GCC Object Size. The kernel uses the builtin_object_size() to implement checks …

more ...

Page 1 / 1

  Categories

  • CVEs
  • Infoleaks
  • Learning
  • Techniques

  Activity

  • SPADV-2018-01
  • CVE-2016-3178
  • CVE-2015-7885
  • CVE-2015-7884
  • CVE-2014-1739
  • CVE-2014-1446
  • CVE-2014-1445

  Contact

  • Linkedin
  • ResearchGate
  • Atom feed