[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#296897: CAN-2005-0532: Buffer overflow in reiserfs_copy_from_user... on 64bit arches

On Fri, Feb 25, 2005 at 03:05:58PM +0100, Stefan Fritsch wrote:
> Package: kernel-source-2.6.8
> Version: 2.6.8-13
> Severity: critical
> Tags: security
> Justification: root security hole
> 
> Cite:
> "The reiserfs_copy_from_user_to_file_region function in reiserfs/file.c for Linux kernel
> 2.6.10 and 2.6.11 before 2.6.11-rc4, when running on 64-bit architectures, may allow local
> users to trigger a buffer overflow as a result of casting discrepancies between size_t and
> int data types."
> 
> The offending code is also in 2.6.8. A fix is at
> http://linux.bkbits.net:8080/linux-2.6/cset@42018227TkNpHlX6BefnItV_GqMmzQ
> 
> The original advisory is at
> http://marc.theaimsgroup.com/?l=full-disclosure&m=110846727602817&w=2
> 
> 
> Please fix 2.6.9 and 2.6.10 as well. I have also looked at 2.4.27 but couldn't find any
> similar code.

Thanks, that seems good to me. I will work on getting it into 2.4.8 and
2.6.10, and also double-check 2.4.27. 2.6.9 is no longer maintained.

-- 
Horms
Reply to: