On Sat, 2007-02-17 at 14:49 -0800, Andrew Morton wrote:
> On Sat, 17 Feb 2007 13:03:02 -0800 bugme-daemon@bugzilla.kernel.org wrote:
>
> > http://bugzilla.kernel.org/show_bug.cgi?id=8028
> >
> > Summary: capi_{cmsg,message}2str not thread-safe; vulnerable to
> > buffer overflow
> > Kernel Version: 2.6.20
> > Status: NEW
> > Severity: high
> > Owner: drivers_isdn@kernel-bugs.osdl.org
> > Submitter: ben@decadent.org.uk
> >
> >
> > See http://bugs.debian.org/408530 for an example of Asterisk crashing when
> > calling these debugging extensions to CAPI.
> >
> > The same functions and implementations are present in the kernel and are used in
> > several logging calls. I don't see any sign of locking or other measures that
> > would make this thread-safe. The Debian bug report suggests that some messages
> > can overflow the 8 KB buffer. I don't know enough about the protocol to tell
> > whether this is a result of two threads trying to convert a message at the same
> > time or whether it can result from a single long message.
> >
>
> Ben, is someone at Debian planning on doing the kernel fix?
So far as I know, no-one on the kernel team was aware of the issue until
today, so no-one has begun attempting to fix it.
Ben.
--
Ben Hutchings
It is easier to change the specification to fit the program than vice versa.
Attachment:
signature.asc
Description: This is a digitally signed message part