286098 – (CVE-2009-3288) Kernel: sg_build_indirect() NULL pointer deref (CVE-2009-3288)

Bug 286098 (CVE-2009-3288) - Kernel: sg_build_indirect() NULL pointer deref (CVE-2009-3288)

Summary: Kernel: sg_build_indirect() NULL pointer deref (CVE-2009-3288)

Status:	RESOLVED FIXED

Alias:	CVE-2009-3288

Product:	Gentoo Security
Classification:	Unclassified
Component:	Kernel (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://git.kernel.org/?p=linux/kernel...
Whiteboard:	[ linux > 2.6.28 < 2.6.31 ]
Keywords:

Depends on:
Blocks:

Reported:	2009-09-23 14:31 UTC by Alex Legler (RETIRED)
Modified:	2013-09-15 18:41 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alex Legler (RETIRED) archtester

2009-09-23 14:31:07 UTC

CVE-2009-3288 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3288):
  The sg_build_indirect function in drivers/scsi/sg.c in Linux kernel
  2.6.28-rc1 through 2.6.31-rc8 uses an incorrect variable when
  accessing an array, which allows local users to cause a denial of
  service (kernel OOPS and NULL pointer dereference), as demonstrated
  by using xcdroast to duplicate a CD.  NOTE: this is only exploitable
  by users who can open the cdrom device.