• Salva Peiró
  • Profile
  • Education
  • Publications
  • Projects
  • Archives



CVE-2015-7884: Kernel Infoleak vulnerability in vivid_fb_ioctl()

by speiro - Oct 22, 2015 - CVE-2015-7884, security, kernel, infoleak,

Summary

CVE CVE-2015-7884
Author Salva Peiró
Date October 2015 - Discovery of the vulnerability.
Impact The vulnerability discloses 16 bytes of kernel process stack.
Affected Versions From linux-3.17.0-rc1 to linux-4.3-rc6
Bug Timespan 1 year: from 2014 to 2015 commit ad4e02d5081d9da38b5b91886e5fa71f0505d607
Patch fix commit eda98796aff0d9bf41094b06811f5def3b4c333c

Description

The vivid_fb_ioctl() code fails to initialize the 16 reserved bytes of struct fb_vblank after the ->hcount member. Add an explicit memset(0) before filling the structure to avoid the info leak.

The patch fixing the Infoleak

After verification the patch that fixes the vulnerability has been …

more ...

CVE-2015-7885: Kernel Infoleak vulnerability in dgnc_mgmt_ioctl()

by speiro - Oct 22, 2015 - CVE-2015-7885, security, kernel, infoleak,

Summary

CVE CVE-2015-7885
Author Salva Peiró
Date October 2015 - Discovery of the vulnerability.
Impact The vulnerability discloses 16 bytes of kernel process stack.
Affected Versions From linux-3.11.0-rc3 to linux-4.3-rc6
Bug Timespan 2 years: from 2013 to 2015 commit 0b99d58902dd82fa51216eb8e0d6ddd8c43e90e4
Patch fix commit 4b6184336ebb5c8dc1eae7f7ab46ee608a748b05

Description

The dgnc_mgmt_ioctl() code fails to initialize the 16 reserved bytes of struct digi_dinfo after the ->dinfo_nboards member. Add an explicit memset(0) before filling the structure to avoid the info leak.

The patch fixing the Infoleak

After verification the patch that fixes the vulnerability has been …

more ...

CVE-2014-1739: Kernel Infoleak vulnerability in media_enum_entities()

by speiro - Apr 28, 2014 - CVE-2014-1739, security, kernel, infoleak,

Summary

CVE CVE-2014-1739
Author Salva Peiró
Date April 2014 - Discovery of the vulnerability.
Impact The vulnerability discloses 200 bytes of kernel process stack.
Affected Versions From linux-2.6.38 to linux-3.15-rc3
Bug Timespan 3 years: 2011-03-23 to 2014-04-29 commit 1651333b

Description

During a code review of the kernel sources we found an infoleak vulnerability in the ioctl media_enum_entities() that allows to disclose 200 bytes the kernel process' stack. The vulnerability is exploitable on versions up to linux-3.15-rc3 by local users with read access to /dev/media0. Linux distributions ship with chmod …

more ...

[patch] cxt1e1: Correct Arbitrary memory write in c4_ioctl()

by speiro - Mar 03, 2014 - security, kernel, arbitrary, memory write,

Vulnerability Description

The function c4_ioctl() (listed below) writes data from user in ifr->ifr_data to the kernel struct data arg, without performing any bounds checking. This allows using a crafted iocmd to write outside of the struct data arg, where iolen = IOC_SIZE(iocmd) can specify a maximum write size up to 2^14 bytes.

Triggering the write requires CAP_SYS_ADMIN capability but even in the case of having admin rights it should be disallowed.

Update

Starting with gcc-4.0, the gcc compiler allows to retrieve the size of an object GCC Object Size. The kernel uses the builtin_object_size() to implement checks …

more ...

  Categories

  • CVEs
  • Infoleaks
  • Learning
  • Techniques

  Activity

  • SPADV-2018-01
  • CVE-2016-3178
  • CVE-2015-7885
  • CVE-2015-7884
  • CVE-2014-1739
  • CVE-2014-1446
  • CVE-2014-1445

  Contact

  • Linkedin
  • ResearchGate
  • Atom feed