Bugzilla – Bug 71782
VUL-0: CVE-2005-0736: kernel: epoll allows to overwrite memory
Last modified: 2021-10-27 15:56:06 UTC
We received the following report via vendor-sec. The issue is public. Date: Tue, 8 Mar 2005 12:43:17 -0500 From: Alan Cox <alan@redhat.com> To: vendor-sec@lst.de Subject: [vendor-sec] [torvalds@osdl.org: [Security] epoll hole..] User-Agent: Mutt/1.4.1i X-Spam-Level: Linus security-list policy applies to this one. ----- Forwarded message from Linus Torvalds <torvalds@osdl.org> ----- Date: Tue, 8 Mar 2005 09:29:24 -0800 (PST) From: Linus Torvalds <torvalds@osdl.org> To: Kernel security list <security@kernel.org> X-Spam-Status: No, hits=-6.1 required=5.0 tests=AWL,BAYES_01,PATCH_UNIFIED_DIFF,RCVD_IN_ORBS, USER_AGENT_PINE version=2.55 X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) X-MIMEDefang-Filter: osdl$Revision: 1.104 $ X-Scanned-By: MIMEDefang 2.36 Cc: Subject: [Security] epoll hole.. X-BeenThere: security@linux.kernel.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Linux kernel security bug reports <security.linux.kernel.org> List-Unsubscribe: <http://linux.kernel.org/mailman/listinfo/security>, <mailto:security-request@linux.kernel.org?subject=unsubscribe> List-Archive: <http://linux.kernel.org/mailman/private/security> List-Post: <mailto:security@linux.kernel.org> List-Help: <mailto:security-request@linux.kernel.org?subject=help> List-Subscribe: <http://linux.kernel.org/mailman/listinfo/security>, <mailto:security-request@linux.kernel.org?subject=subscribe> Errors-To: security-bounces@linux.kernel.org X-RedHat-Spam-Score: 0 This allows overwriting of the first few kB of physical memory on x86. It usually doesn't actually contain anything (the first 4kB are left alone for dosemu etc to read the original 16-bit interrupt descriptors, and the rest is just about the last thing we ever allocate, so it's usually unused), but still.. Already in my tree, soon to be pushed out. Linus ---- # This is a BitKeeper generated diff -Nru style patch. # # ChangeSet # 2005/03/08 08:18:50-08:00 torvalds@ppc970.osdl.org # epoll: return proper error on overflow condition # # Noted by Georgi Guninski. # # fs/eventpoll.c # 2005/03/08 08:18:40-08:00 torvalds@ppc970.osdl.org +2 -1 # epoll: return proper error on overflow condition # # Noted by Georgi Guninski. # diff -Nru a/fs/eventpoll.c b/fs/eventpoll.c --- a/fs/eventpoll.c 2005-03-08 09:24:04 -08:00 +++ b/fs/eventpoll.c 2005-03-08 09:24:04 -08:00 @@ -619,6 +619,7 @@ return error; } +#define MAX_EVENTS (INT_MAX / sizeof(struct epoll_event)) /* * Implement the event wait interface for the eventpoll file. It is the kernel @@ -635,7 +636,7 @@ current, epfd, events, maxevents, timeout)); /* The maximum number of event must be greater than zero */ - if (maxevents <= 0) + if (maxevents <= 0 || maxevents > MAX_EVENTS) return -EINVAL; /* Verify that the area passed by the user is writeable */ _______________________________________________ Security mailing list Security@linux.kernel.org http://linux.kernel.org/mailman/listinfo/security ----- End forwarded message ----- -- -- "Have you noticed the way people's intelligence capabilities decline sharply the minute they start waving guns around?" -- Dr. Who _______________________________________________ Vendor Security mailing list Vendor Security@lst.de https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec
Created attachment 31057 [details] mail with patch as attachment
Created attachment 31060 [details] exploit posted on full-disclosure
please apply to 2.6 branches. we need to check sles8 sp4 branch epoll too.
Fix is in all 2.6 trees now and in SLES8 trees. Older versions do not have epoll.
*** Bug 72392 has been marked as a duplicate of this bug. ***
tracking
updates and advisory released
CAN-2005-0736
CVE-2005-0736: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:P/A:N)