numactl crashes with segfault
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
numactl (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Trusty |
Fix Released
|
High
|
Unassigned | ||
Utopic |
Fix Released
|
High
|
Unassigned |
Bug Description
=======
SRU Justification
Impact: program crashes, may be exploitable
Test case: "numactl --hardware" on a large system
Regression potential: this patch only makes sure that a bitmask is in bss to initialize to 0.
=======
numactl sometimes crashes when enumerating hardware:
root@node1:~# numactl --hardware
available: 648 nodes (0-647)
Segmentation fault
Further analysis shows that libnuma is using an uninitialised pointer, which value depends on program layout. When layout is sufficiently different, the pointer is non-NULL and the library parses the data pointed to as a bitmap, crashing.
Therefore, it is possible to leverage this in an exploit.
I have fixed the issue upstream:
https:/
information type: | Private Security → Public |
Changed in numactl (Ubuntu): | |
importance: | Undecided → High |
Changed in numactl (Ubuntu Trusty): | |
importance: | Undecided → High |
Changed in numactl (Ubuntu Utopic): | |
importance: | Undecided → High |
description: | updated |
tags: |
added: verification-done removed: verification-needed |
Do you know if a CVE has been assigned to this issue? I don't directly see how it could be used to cross privilege boundaries. Is there something I've missed?
Thanks