Re: [Bugme-new] [Bug 8028] New: capi_{cmsg,message}2str not thread-safe; vulnerable to buffer overflow
(cc's restored. Please don't do that)
On Sat, 17 Feb 2007 23:30:35 +0000 Ben Hutchings <ben@decadent.org.uk> wrote:
> On Sat, 2007-02-17 at 14:49 -0800, Andrew Morton wrote:
> > On Sat, 17 Feb 2007 13:03:02 -0800 bugme-daemon@bugzilla.kernel.org wrote:
> >
> > > http://bugzilla.kernel.org/show_bug.cgi?id=8028
> > >
> > > Summary: capi_{cmsg,message}2str not thread-safe; vulnerable to
> > > buffer overflow
> > > Kernel Version: 2.6.20
> > > Status: NEW
> > > Severity: high
> > > Owner: drivers_isdn@kernel-bugs.osdl.org
> > > Submitter: ben@decadent.org.uk
> > >
> > >
> > > See http://bugs.debian.org/408530 for an example of Asterisk crashing when
> > > calling these debugging extensions to CAPI.
> > >
> > > The same functions and implementations are present in the kernel and are used in
> > > several logging calls. I don't see any sign of locking or other measures that
> > > would make this thread-safe. The Debian bug report suggests that some messages
> > > can overflow the 8 KB buffer. I don't know enough about the protocol to tell
> > > whether this is a result of two threads trying to convert a message at the same
> > > time or whether it can result from a single long message.
> > >
> >
> > Ben, is someone at Debian planning on doing the kernel fix?
>
> So far as I know, no-one on the kernel team was aware of the issue until
> today, so no-one has begun attempting to fix it.
>
> Ben.
>
> --
> Ben Hutchings
> It is easier to change the specification to fit the program than vice versa.
>
Reply to: