Bug#296900: CAN-2005-0529: Buffer overflow in proc_file_read

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#296900: CAN-2005-0529: Buffer overflow in proc_file_read
From: Stefan Fritsch <sf@sfritsch.de>
Date: Fri, 25 Feb 2005 15:30:30 +0100
Message-id: <[🔎] E1D4gUA-0005dO-QG@k.local>
Reply-to: Stefan Fritsch <sf@sfritsch.de>, 296900@bugs.debian.org

Package: kernel-source-2.6.8
Version: 2.6.8-13
Severity: critical
Tags: security
Justification: root security hole

Cite:
" Linux kernel 2.6.10 and 2.6.11rc1-bk6 uses different size types
for offset arguments to the proc_file_read and locks_read_proc
functions, which leads to a heap-based buffer overflow when a
signed comparison causes negative integers to be used in a positive
context."

The offending code is also in 2.6.8.

A fix is at:
http://linux.bkbits.net:8080/linux-2.6/cset@4201818eC6aMn0x3GY_9rw3ueb2ZWQ

The original advisory is at:
http://marc.theaimsgroup.com/?l=full-disclosure&m=110846727602817&w=2

The corresponding code in 2.4.27 lacks the bogus ssize_t cast. Therefore
2.4.27 should not be affected.

Please also fix 2.6.9 and 2.6.10.

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Reply to:

Prev by Date: Bug#296899: CAN-2005-0531: Buffer overflow in atm_get_addr
Next by Date: Bug#296901: CAN-2005-0530: information disclosure because of signedness error in copy_from_read_buf
Previous by thread: Bug#296899: CAN-2005-0531: Buffer overflow in atm_get_addr
Next by thread: Bug#296901: CAN-2005-0530: information disclosure because of signedness error in copy_from_read_buf
Index(es):
- Date
- Thread