Possible vulnerability posted to Bugtraq. Linux kernel IEEE 1394(Firewire) driver - integer overflows ----------------------------------------------------------- Link: http://www.linux1394.org/index.php Driver Description: IEEE 1394 is a standard defining a high speed serial bus. This bus is also named FireWire by Apple or i.Link by Sony. All these names refer to the same thing, but the neutral term IEEE 1394 (or just 1394) is used on these web pages and in the sources. This driver is included in standard linux distros. It is located in /usr/src/linux/drivers/ieee1394/. Impact: Local DOS, possible code execution Vuln: there exist multiple integer overflows in the memory allocation scheme of the driver. in the write method of the driver a user buffer is copied into kernel space. in this buffer is a request structure that contains an unsigned length field. this field is used to allocate memory, after it is added to another number. there are no checks to see if this overflows during integer addition. this problem occurs in the alloc_hpsb_packet function. the problem exists in both the 2.4 and 2.6 version of driver, 2.2 was not checked. the functions leading up to this are spread out through a couple files:
*** Bug 54883 has been marked as a duplicate of this bug. ***
Updating status whiteboard
CondorDes: this is still unconfirmed. There is no sign of an acknowledgement or a fix from anywhere except that Bugtraq post (or did you find one ?). Bug will remain as NEW (and without status whiteboard) until we get an external confirmation of this.
Also, as no non-root user can access these device nodes, it really isn't that big of a problem.
If you have to be root to exploit it, it's not a security bug. Reassigning.
A member of the audit team had a look and gave an indiciation that this appears to be fixed.
