oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: kernel: low-severity vfio driver integer overflow - Linux kernel

From: cve-assign () mitre org
Date: Thu, 27 Oct 2016 02:41:19 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


The vfio driver allows direct user access to devices. The
VFIO_DEVICE_SET_IRQS ioctl for vfio PCI devices has a state machine
confusion bug where specifying VFIO_IRQ_SET_DATA_NONE along with
another bit in VFIO_IRQ_SET_DATA_TYPE_MASK in hdr.flags allows integer
overflow checks to be skipped for hdr.start/hdr.count. This might
allow memory corruption later in vfio_pci_set_msi_trigger() with user
access to an appropriate vfio device file, but it seems difficult to
usefully exploit in practice.

https://patchwork.kernel.org/patch/9373631/


Use CVE-2016-9083 for the "state machine confusion bug."

Use CVE-2016-9084 for the separate problem fixed by "kzalloc is
changed to a kcalloc."

This is not yet available at
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/log/drivers/vfio/pci/vfio_pci.c
and
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/log/drivers/vfio/pci/vfio_pci_intrs.c
but may be there later.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYEaDdAAoJEHb/MwWLVhi2SXoP/A1cw0kppdrB03QUfdZM8ShT
BBnH+GWpricg333jEtfM1ypq5NqN62bG4/SQzvJwqV0HKffodIqzKAqpu0jzvzHA
rlVs+lrv0folE2T4mZNc0lDWr36lwIf2LJx3tdYnl/EaW11FSVIsO/K5/bnXYU0b
Yxarmk5jhG48pcjFo969FvpfDYXBZuleuluTWs/t4MM5R5iY/hpA/+vPBqQPf9Qp
Mb+WwFu4fuXjTxWRTXfaH6l2ZQ4qdjxzwZnHzyj4Xt/B9aXDQx/uibM6gwMlK79d
HSAElifmLxhBClhRj9t5CWjz7qxtD/Ll7UOklM1a6C+DPwvpYnr5iaz0iQDh4IA9
ZFWh+EffrFufmrvQ1/3YBLwCUd74thDisbeqZSaIOH9+itdV5rwiuiAz7PusNzcc
VLTh3kP34kahzIyvpNt342opeA/1dCvv1qNWCC1G9MwJbuW6N7PAm1v7bwr22Fz7
sFvQ7FB4aUV+AV835wkPNXqZaoyBfzDvzXoW9aFMzQzjcvdKfNT4VU7N2mHJqfYU
OP5PNuqUg4Wly0Rwych0YpoYTXfvFyy//AvuTIvZRHQErS5ny8gJvjwGg8oVObjr
l+3WOQxAmJST2jvczPLKhiQP3zPDmlMx9MTUuYWR4MJqaEf7nwjJnqTf5chWGPsR
9jneh8oMpkQJm0IRDyc+
=AZ3J
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: