| 2012-04-23 23:48:58 |
John Johansen |
bug |
|
|
added bug |
| 2012-04-23 23:49:00 |
John Johansen |
tags |
|
kernel-cve-tracking-bug |
|
| 2012-04-23 23:49:01 |
John Johansen |
security vulnerability |
no |
yes |
|
| 2012-04-23 23:49:01 |
John Johansen |
security vulnerability |
no |
yes |
|
| 2012-04-23 23:49:03 |
John Johansen |
cve linked |
|
2012-2119 |
|
| 2012-04-23 23:49:13 |
John Johansen |
nominated for series |
|
Ubuntu Precise |
|
| 2012-04-23 23:49:15 |
John Johansen |
bug task added |
|
linux (Ubuntu Precise) |
|
| 2012-04-23 23:49:15 |
John Johansen |
bug task added |
|
linux-ec2 (Ubuntu Precise) |
|
| 2012-04-23 23:49:15 |
John Johansen |
bug task added |
|
linux-fsl-imx51 (Ubuntu Precise) |
|
| 2012-04-23 23:49:15 |
John Johansen |
bug task added |
|
linux-lts-backport-maverick (Ubuntu Precise) |
|
| 2012-04-23 23:49:15 |
John Johansen |
bug task added |
|
linux-lts-backport-natty (Ubuntu Precise) |
|
| 2012-04-23 23:49:15 |
John Johansen |
bug task added |
|
linux-mvl-dove (Ubuntu Precise) |
|
| 2012-04-23 23:49:15 |
John Johansen |
bug task added |
|
linux-ti-omap4 (Ubuntu Precise) |
|
| 2012-04-23 23:49:20 |
John Johansen |
nominated for series |
|
Ubuntu Oneiric |
|
| 2012-04-23 23:49:21 |
John Johansen |
bug task added |
|
linux (Ubuntu Oneiric) |
|
| 2012-04-23 23:49:21 |
John Johansen |
bug task added |
|
linux-ec2 (Ubuntu Oneiric) |
|
| 2012-04-23 23:49:21 |
John Johansen |
bug task added |
|
linux-fsl-imx51 (Ubuntu Oneiric) |
|
| 2012-04-23 23:49:21 |
John Johansen |
bug task added |
|
linux-lts-backport-maverick (Ubuntu Oneiric) |
|
| 2012-04-23 23:49:21 |
John Johansen |
bug task added |
|
linux-lts-backport-natty (Ubuntu Oneiric) |
|
| 2012-04-23 23:49:21 |
John Johansen |
bug task added |
|
linux-mvl-dove (Ubuntu Oneiric) |
|
| 2012-04-23 23:49:21 |
John Johansen |
bug task added |
|
linux-ti-omap4 (Ubuntu Oneiric) |
|
| 2012-04-23 23:49:26 |
John Johansen |
nominated for series |
|
Ubuntu Natty |
|
| 2012-04-23 23:49:27 |
John Johansen |
bug task added |
|
linux (Ubuntu Natty) |
|
| 2012-04-23 23:49:27 |
John Johansen |
bug task added |
|
linux-ec2 (Ubuntu Natty) |
|
| 2012-04-23 23:49:27 |
John Johansen |
bug task added |
|
linux-fsl-imx51 (Ubuntu Natty) |
|
| 2012-04-23 23:49:27 |
John Johansen |
bug task added |
|
linux-lts-backport-maverick (Ubuntu Natty) |
|
| 2012-04-23 23:49:27 |
John Johansen |
bug task added |
|
linux-lts-backport-natty (Ubuntu Natty) |
|
| 2012-04-23 23:49:27 |
John Johansen |
bug task added |
|
linux-mvl-dove (Ubuntu Natty) |
|
| 2012-04-23 23:49:27 |
John Johansen |
bug task added |
|
linux-ti-omap4 (Ubuntu Natty) |
|
| 2012-04-23 23:49:33 |
John Johansen |
nominated for series |
|
Ubuntu Lucid |
|
| 2012-04-23 23:49:34 |
John Johansen |
bug task added |
|
linux (Ubuntu Lucid) |
|
| 2012-04-23 23:49:34 |
John Johansen |
bug task added |
|
linux-ec2 (Ubuntu Lucid) |
|
| 2012-04-23 23:49:34 |
John Johansen |
bug task added |
|
linux-fsl-imx51 (Ubuntu Lucid) |
|
| 2012-04-23 23:49:34 |
John Johansen |
bug task added |
|
linux-lts-backport-maverick (Ubuntu Lucid) |
|
| 2012-04-23 23:49:34 |
John Johansen |
bug task added |
|
linux-lts-backport-natty (Ubuntu Lucid) |
|
| 2012-04-23 23:49:34 |
John Johansen |
bug task added |
|
linux-mvl-dove (Ubuntu Lucid) |
|
| 2012-04-23 23:49:34 |
John Johansen |
bug task added |
|
linux-ti-omap4 (Ubuntu Lucid) |
|
| 2012-04-23 23:49:40 |
John Johansen |
nominated for series |
|
Ubuntu Hardy |
|
| 2012-04-23 23:49:41 |
John Johansen |
bug task added |
|
linux (Ubuntu Hardy) |
|
| 2012-04-23 23:49:41 |
John Johansen |
bug task added |
|
linux-ec2 (Ubuntu Hardy) |
|
| 2012-04-23 23:49:41 |
John Johansen |
bug task added |
|
linux-fsl-imx51 (Ubuntu Hardy) |
|
| 2012-04-23 23:49:41 |
John Johansen |
bug task added |
|
linux-lts-backport-maverick (Ubuntu Hardy) |
|
| 2012-04-23 23:49:41 |
John Johansen |
bug task added |
|
linux-lts-backport-natty (Ubuntu Hardy) |
|
| 2012-04-23 23:49:41 |
John Johansen |
bug task added |
|
linux-mvl-dove (Ubuntu Hardy) |
|
| 2012-04-23 23:49:41 |
John Johansen |
bug task added |
|
linux-ti-omap4 (Ubuntu Hardy) |
|
| 2012-04-23 23:49:52 |
John Johansen |
linux-ec2 (Ubuntu Oneiric): status |
New |
Invalid |
|
| 2012-04-23 23:49:55 |
John Johansen |
linux-ec2 (Ubuntu Precise): status |
New |
Invalid |
|
| 2012-04-23 23:49:58 |
John Johansen |
linux-ec2 (Ubuntu Hardy): status |
New |
Invalid |
|
| 2012-04-23 23:50:02 |
John Johansen |
linux-ec2 (Ubuntu Natty): status |
New |
Invalid |
|
| 2012-04-23 23:50:06 |
John Johansen |
linux-lts-backport-oneiric (Ubuntu Oneiric): status |
New |
Invalid |
|
| 2012-04-23 23:50:09 |
John Johansen |
linux-lts-backport-oneiric (Ubuntu Precise): status |
New |
Invalid |
|
| 2012-04-23 23:50:12 |
John Johansen |
linux-lts-backport-oneiric (Ubuntu Hardy): status |
New |
Invalid |
|
| 2012-04-23 23:50:16 |
John Johansen |
linux-lts-backport-oneiric (Ubuntu Natty): status |
New |
Invalid |
|
| 2012-04-23 23:50:19 |
John Johansen |
linux-lts-backport-natty (Ubuntu Oneiric): status |
New |
Invalid |
|
| 2012-04-23 23:50:23 |
John Johansen |
linux-lts-backport-natty (Ubuntu Precise): status |
New |
Invalid |
|
| 2012-04-23 23:50:26 |
John Johansen |
linux-lts-backport-natty (Ubuntu Hardy): status |
New |
Invalid |
|
| 2012-04-23 23:50:29 |
John Johansen |
linux-lts-backport-natty (Ubuntu Natty): status |
New |
Invalid |
|
| 2012-04-23 23:50:32 |
John Johansen |
linux-mvl-dove (Ubuntu Oneiric): status |
New |
Invalid |
|
| 2012-04-23 23:50:36 |
John Johansen |
linux-mvl-dove (Ubuntu Precise): status |
New |
Invalid |
|
| 2012-04-23 23:50:40 |
John Johansen |
linux-mvl-dove (Ubuntu Hardy): status |
New |
Invalid |
|
| 2012-04-23 23:50:44 |
John Johansen |
linux-mvl-dove (Ubuntu Natty): status |
New |
Invalid |
|
| 2012-04-23 23:50:47 |
John Johansen |
linux-lts-backport-maverick (Ubuntu Oneiric): status |
New |
Invalid |
|
| 2012-04-23 23:50:50 |
John Johansen |
linux-lts-backport-maverick (Ubuntu Precise): status |
New |
Invalid |
|
| 2012-04-23 23:50:54 |
John Johansen |
linux-lts-backport-maverick (Ubuntu Hardy): status |
New |
Invalid |
|
| 2012-04-23 23:50:58 |
John Johansen |
linux-lts-backport-maverick (Ubuntu Natty): status |
New |
Invalid |
|
| 2012-04-23 23:51:03 |
John Johansen |
linux-ti-omap4 (Ubuntu Lucid): status |
New |
Invalid |
|
| 2012-04-23 23:51:07 |
John Johansen |
linux-ti-omap4 (Ubuntu Hardy): status |
New |
Invalid |
|
| 2012-04-23 23:51:09 |
John Johansen |
linux-fsl-imx51 (Ubuntu Oneiric): status |
New |
Invalid |
|
| 2012-04-23 23:51:13 |
John Johansen |
linux-fsl-imx51 (Ubuntu Precise): status |
New |
Invalid |
|
| 2012-04-23 23:51:17 |
John Johansen |
linux-fsl-imx51 (Ubuntu Hardy): status |
New |
Invalid |
|
| 2012-04-23 23:51:21 |
John Johansen |
linux-fsl-imx51 (Ubuntu Natty): status |
New |
Invalid |
|
| 2012-04-23 23:51:25 |
John Johansen |
description |
Placeholder |
Currently we do not validate the vector length before calling get_user_pages_fast(), host stack could be easily overflowed by malicious guest driver who gives us a descriptors with length greater than MAX_SKB_FRAGS. A privileged guest user could use this flaw to induce stack overflow on the host with attacker non-controlled data (some bits can be guessed, as it will be pointers to kernel memory) but with attacker controlled length. |
|
| 2012-04-23 23:51:27 |
John Johansen |
linux-ec2 (Ubuntu Oneiric): importance |
Undecided |
Low |
|
| 2012-04-23 23:51:29 |
John Johansen |
linux-ec2 (Ubuntu Lucid): importance |
Undecided |
Low |
|
| 2012-04-23 23:51:32 |
John Johansen |
linux-ec2 (Ubuntu Precise): importance |
Undecided |
Low |
|
| 2012-04-23 23:51:34 |
John Johansen |
linux-ec2 (Ubuntu Hardy): importance |
Undecided |
Low |
|
| 2012-04-23 23:51:37 |
John Johansen |
linux-ec2 (Ubuntu Natty): importance |
Undecided |
Low |
|
| 2012-04-23 23:51:39 |
John Johansen |
linux-lts-backport-oneiric (Ubuntu Oneiric): importance |
Undecided |
Low |
|
| 2012-04-23 23:51:42 |
John Johansen |
linux-lts-backport-oneiric (Ubuntu Lucid): importance |
Undecided |
Low |
|
| 2012-04-23 23:51:46 |
John Johansen |
linux-lts-backport-oneiric (Ubuntu Precise): importance |
Undecided |
Low |
|
| 2012-04-23 23:51:49 |
John Johansen |
linux-lts-backport-oneiric (Ubuntu Hardy): importance |
Undecided |
Low |
|
| 2012-04-23 23:51:51 |
John Johansen |
linux-lts-backport-oneiric (Ubuntu Natty): importance |
Undecided |
Low |
|
| 2012-04-23 23:51:54 |
John Johansen |
linux-lts-backport-natty (Ubuntu Oneiric): importance |
Undecided |
Low |
|
| 2012-04-23 23:51:57 |
John Johansen |
linux-lts-backport-natty (Ubuntu Lucid): importance |
Undecided |
Low |
|
| 2012-04-23 23:51:59 |
John Johansen |
linux-lts-backport-natty (Ubuntu Precise): importance |
Undecided |
Low |
|
| 2012-04-23 23:52:03 |
John Johansen |
linux-lts-backport-natty (Ubuntu Hardy): importance |
Undecided |
Low |
|
| 2012-04-23 23:52:06 |
John Johansen |
linux-lts-backport-natty (Ubuntu Natty): importance |
Undecided |
Low |
|
| 2012-04-23 23:52:09 |
John Johansen |
linux-mvl-dove (Ubuntu Oneiric): importance |
Undecided |
Low |
|
| 2012-04-23 23:52:12 |
John Johansen |
linux-mvl-dove (Ubuntu Lucid): status |
New |
Invalid |
|
| 2012-04-23 23:52:15 |
John Johansen |
linux-mvl-dove (Ubuntu Lucid): importance |
Undecided |
Low |
|
| 2012-04-23 23:52:17 |
John Johansen |
linux-mvl-dove (Ubuntu Precise): importance |
Undecided |
Low |
|
| 2012-04-23 23:52:20 |
John Johansen |
linux-mvl-dove (Ubuntu Hardy): importance |
Undecided |
Low |
|
| 2012-04-23 23:52:23 |
John Johansen |
linux-mvl-dove (Ubuntu Natty): importance |
Undecided |
Low |
|
| 2012-04-23 23:52:26 |
John Johansen |
linux-lts-backport-maverick (Ubuntu Oneiric): importance |
Undecided |
Low |
|
| 2012-04-23 23:52:29 |
John Johansen |
linux-lts-backport-maverick (Ubuntu Lucid): status |
New |
Invalid |
|
| 2012-04-23 23:52:31 |
John Johansen |
linux-lts-backport-maverick (Ubuntu Lucid): importance |
Undecided |
Low |
|
| 2012-04-23 23:52:34 |
John Johansen |
linux-lts-backport-maverick (Ubuntu Precise): importance |
Undecided |
Low |
|
| 2012-04-23 23:52:38 |
John Johansen |
linux-lts-backport-maverick (Ubuntu Hardy): importance |
Undecided |
Low |
|
| 2012-04-23 23:52:41 |
John Johansen |
linux-lts-backport-maverick (Ubuntu Natty): importance |
Undecided |
Low |
|
| 2012-04-23 23:52:44 |
John Johansen |
linux (Ubuntu Oneiric): importance |
Undecided |
Low |
|
| 2012-04-23 23:52:47 |
John Johansen |
linux (Ubuntu Lucid): importance |
Undecided |
Low |
|
| 2012-04-23 23:52:49 |
John Johansen |
linux (Ubuntu Precise): importance |
Undecided |
Low |
|
| 2012-04-23 23:52:53 |
John Johansen |
linux (Ubuntu Hardy): importance |
Undecided |
Low |
|
| 2012-04-23 23:52:57 |
John Johansen |
linux (Ubuntu Natty): importance |
Undecided |
Low |
|
| 2012-04-23 23:53:00 |
John Johansen |
linux-ti-omap4 (Ubuntu Oneiric): importance |
Undecided |
Low |
|
| 2012-04-23 23:53:04 |
John Johansen |
linux-ti-omap4 (Ubuntu Lucid): importance |
Undecided |
Low |
|
| 2012-04-23 23:53:07 |
John Johansen |
linux-ti-omap4 (Ubuntu Precise): importance |
Undecided |
Low |
|
| 2012-04-23 23:53:10 |
John Johansen |
linux-ti-omap4 (Ubuntu Hardy): importance |
Undecided |
Low |
|
| 2012-04-23 23:53:13 |
John Johansen |
linux-ti-omap4 (Ubuntu Natty): importance |
Undecided |
Low |
|
| 2012-04-23 23:53:16 |
John Johansen |
linux-fsl-imx51 (Ubuntu Oneiric): importance |
Undecided |
Low |
|
| 2012-04-23 23:53:19 |
John Johansen |
linux-fsl-imx51 (Ubuntu Lucid): importance |
Undecided |
Low |
|
| 2012-04-23 23:53:22 |
John Johansen |
linux-fsl-imx51 (Ubuntu Precise): importance |
Undecided |
Low |
|
| 2012-04-23 23:53:25 |
John Johansen |
linux-fsl-imx51 (Ubuntu Hardy): importance |
Undecided |
Low |
|
| 2012-04-23 23:53:28 |
John Johansen |
linux-fsl-imx51 (Ubuntu Natty): importance |
Undecided |
Low |
|
| 2012-05-01 22:41:22 |
John Johansen |
nominated for series |
|
Ubuntu Quantal |
|
| 2012-05-01 22:41:23 |
John Johansen |
linux-armadaxp (Ubuntu Precise): importance |
Undecided |
Low |
|
| 2012-05-01 22:41:26 |
John Johansen |
linux-armadaxp (Ubuntu Oneiric): status |
New |
Invalid |
|
| 2012-05-01 22:41:30 |
John Johansen |
linux-armadaxp (Ubuntu Oneiric): importance |
Undecided |
Low |
|
| 2012-05-01 22:41:34 |
John Johansen |
linux-armadaxp (Ubuntu Lucid): status |
New |
Invalid |
|
| 2012-05-01 22:41:37 |
John Johansen |
linux-armadaxp (Ubuntu Lucid): importance |
Undecided |
Low |
|
| 2012-05-01 22:41:40 |
John Johansen |
linux-armadaxp (Ubuntu Hardy): status |
New |
Invalid |
|
| 2012-05-01 22:41:44 |
John Johansen |
linux-armadaxp (Ubuntu Hardy): importance |
Undecided |
Low |
|
| 2012-05-01 22:41:47 |
John Johansen |
linux-armadaxp (Ubuntu Natty): status |
New |
Invalid |
|
| 2012-05-01 22:41:50 |
John Johansen |
linux-armadaxp (Ubuntu Natty): importance |
Undecided |
Low |
|
| 2012-05-04 21:27:01 |
John Johansen |
bug task added |
|
linux (Ubuntu Quantal) |
|
| 2012-05-04 21:27:01 |
John Johansen |
bug task added |
|
linux-armadaxp (Ubuntu Quantal) |
|
| 2012-05-04 21:27:01 |
John Johansen |
bug task added |
|
linux-ec2 (Ubuntu Quantal) |
|
| 2012-05-04 21:27:01 |
John Johansen |
bug task added |
|
linux-fsl-imx51 (Ubuntu Quantal) |
|
| 2012-05-04 21:27:01 |
John Johansen |
bug task added |
|
linux-lts-backport-maverick (Ubuntu Quantal) |
|
| 2012-05-04 21:27:01 |
John Johansen |
bug task added |
|
linux-lts-backport-natty (Ubuntu Quantal) |
|
| 2012-05-04 21:27:01 |
John Johansen |
bug task added |
|
linux-lts-backport-oneiric (Ubuntu Quantal) |
|
| 2012-05-04 21:27:01 |
John Johansen |
bug task added |
|
linux-mvl-dove (Ubuntu Quantal) |
|
| 2012-05-04 21:27:01 |
John Johansen |
bug task added |
|
linux-ti-omap4 (Ubuntu Quantal) |
|
| 2012-05-04 22:29:11 |
John Johansen |
linux-armadaxp (Ubuntu Quantal): importance |
Undecided |
Low |
|
| 2012-07-25 17:44:19 |
John Johansen |
description |
Currently we do not validate the vector length before calling get_user_pages_fast(), host stack could be easily overflowed by malicious guest driver who gives us a descriptors with length greater than MAX_SKB_FRAGS. A privileged guest user could use this flaw to induce stack overflow on the host with attacker non-controlled data (some bits can be guessed, as it will be pointers to kernel memory) but with attacker controlled length. |
Currently we do not validate the vector length before calling get_user_pages_fast(), host stack could be easily overflowed by malicious guest driver who gives us a descriptors with length greater than MAX_SKB_FRAGS. A privileged guest user could use this flaw to induce stack overflow on the host with attacker non-controlled data (some bits can be guessed, as it will be pointers to kernel memory) but with attacker controlled length.
Break-Fix: - b92946e2919134ebe2a4083e4302236295ea2a73 |
|
| 2012-07-26 19:34:56 |
John Johansen |
linux-armadaxp (Ubuntu Precise): status |
New |
Fix Committed |
|
| 2012-07-26 19:35:00 |
John Johansen |
linux-armadaxp (Ubuntu Quantal): status |
New |
Fix Committed |
|
| 2012-07-26 19:35:04 |
John Johansen |
linux (Ubuntu Precise): status |
New |
Fix Committed |
|
| 2012-07-26 19:35:06 |
John Johansen |
linux (Ubuntu Quantal): status |
New |
Invalid |
|
| 2012-07-26 19:35:09 |
John Johansen |
linux-ti-omap4 (Ubuntu Precise): status |
New |
Fix Committed |
|
| 2012-07-26 19:35:11 |
John Johansen |
linux-ti-omap4 (Ubuntu Quantal): status |
New |
Invalid |
|
| 2012-08-15 23:11:45 |
John Johansen |
linux (Ubuntu Precise): status |
Fix Committed |
Fix Released |
|
| 2012-08-15 23:11:49 |
John Johansen |
linux-ti-omap4 (Ubuntu Precise): status |
Fix Committed |
Fix Released |
|
| 2012-08-23 00:44:03 |
John Johansen |
linux-armadaxp (Ubuntu Precise): status |
Fix Committed |
Fix Released |
|
| 2012-10-02 08:25:54 |
Ike Panhc |
linux-armadaxp (Ubuntu Quantal): status |
Fix Committed |
Fix Released |
|
| 2012-10-04 17:39:07 |
Steve Conklin |
linux (Ubuntu Oneiric): status |
New |
In Progress |
|
| 2012-10-04 18:53:06 |
Steve Conklin |
linux (Ubuntu Natty): status |
New |
In Progress |
|
| 2012-10-04 18:53:40 |
Steve Conklin |
linux (Ubuntu Lucid): status |
New |
In Progress |
|
| 2012-10-04 18:53:53 |
Steve Conklin |
linux (Ubuntu Hardy): status |
New |
In Progress |
|
| 2012-10-04 23:29:08 |
John Johansen |
description |
Currently we do not validate the vector length before calling get_user_pages_fast(), host stack could be easily overflowed by malicious guest driver who gives us a descriptors with length greater than MAX_SKB_FRAGS. A privileged guest user could use this flaw to induce stack overflow on the host with attacker non-controlled data (some bits can be guessed, as it will be pointers to kernel memory) but with attacker controlled length.
Break-Fix: - b92946e2919134ebe2a4083e4302236295ea2a73 |
Currently we do not validate the vector length before calling get_user_pages_fast(), host stack could be easily overflowed by malicious guest driver who gives us a descriptors with length greater than MAX_SKB_FRAGS. A privileged guest user could use this flaw to induce stack overflow on the host with attacker non-controlled data (some bits can be guessed, as it will be pointers to kernel memory) but with attacker controlled length.
Break-Fix: 97bc3633bec7ed0fdfbda6b9cf86c51e4f58f8e2 - 3afc9621f15701c557e60f61eba9242bac2771dd
Break-Fix: 97bc3633bec7ed0fdfbda6b9cf86c51e4f58f8e2 - 4ef67ebedffa44ed9939b34708ac2fee06d2f65f
Break-Fix: 97bc3633bec7ed0fdfbda6b9cf86c51e4f58f8e2 - 02ce04bb3d28c3333231f43bca677228dbc686fe
Break-Fix: 97bc3633bec7ed0fdfbda6b9cf86c51e4f58f8e2 - 01d6657b388438def19c8baaea28e742b6ed32ec
Break-Fix: 97bc3633bec7ed0fdfbda6b9cf86c51e4f58f8e2 - b92946e2919134ebe2a4083e4302236295ea2a73 |
|
| 2013-05-21 21:46:09 |
Jamie Strandboge |
linux (Ubuntu Hardy): status |
In Progress |
Won't Fix |
|
| 2013-05-21 21:46:21 |
Jamie Strandboge |
linux-lts-backport-oneiric (Ubuntu Lucid): status |
New |
Won't Fix |
|
| 2013-05-21 21:46:31 |
Jamie Strandboge |
linux-ti-omap4 (Ubuntu Natty): status |
New |
Won't Fix |
|
| 2013-05-21 21:46:40 |
Jamie Strandboge |
linux-ti-omap4 (Ubuntu Oneiric): status |
New |
Won't Fix |
|
| 2013-05-22 12:25:54 |
Jamie Strandboge |
linux-lts-backport-natty (Ubuntu Lucid): status |
New |
Won't Fix |
|
| 2013-07-12 20:18:26 |
Jamie Strandboge |
linux (Ubuntu Natty): status |
In Progress |
Won't Fix |
|
| 2013-07-12 20:18:41 |
Jamie Strandboge |
linux (Ubuntu Oneiric): status |
In Progress |
Won't Fix |
|
| 2015-05-22 10:25:06 |
Mathew Hodson |
description |
Currently we do not validate the vector length before calling get_user_pages_fast(), host stack could be easily overflowed by malicious guest driver who gives us a descriptors with length greater than MAX_SKB_FRAGS. A privileged guest user could use this flaw to induce stack overflow on the host with attacker non-controlled data (some bits can be guessed, as it will be pointers to kernel memory) but with attacker controlled length.
Break-Fix: 97bc3633bec7ed0fdfbda6b9cf86c51e4f58f8e2 - 3afc9621f15701c557e60f61eba9242bac2771dd
Break-Fix: 97bc3633bec7ed0fdfbda6b9cf86c51e4f58f8e2 - 4ef67ebedffa44ed9939b34708ac2fee06d2f65f
Break-Fix: 97bc3633bec7ed0fdfbda6b9cf86c51e4f58f8e2 - 02ce04bb3d28c3333231f43bca677228dbc686fe
Break-Fix: 97bc3633bec7ed0fdfbda6b9cf86c51e4f58f8e2 - 01d6657b388438def19c8baaea28e742b6ed32ec
Break-Fix: 97bc3633bec7ed0fdfbda6b9cf86c51e4f58f8e2 - b92946e2919134ebe2a4083e4302236295ea2a73 |
Buffer overflow in the macvtap device driver in the Linux kernel before
3.4.5, when running in certain configurations, allows privileged KVM guest
users to cause a denial of service (crash) via a long descriptor with a
long vector length.
Break-Fix: 97bc3633bec7ed0fdfbda6b9cf86c51e4f58f8e2 3afc9621f15701c557e60f61eba9242bac2771dd
Break-Fix: 97bc3633bec7ed0fdfbda6b9cf86c51e4f58f8e2 4ef67ebedffa44ed9939b34708ac2fee06d2f65f
Break-Fix: 97bc3633bec7ed0fdfbda6b9cf86c51e4f58f8e2 02ce04bb3d28c3333231f43bca677228dbc686fe
Break-Fix: 97bc3633bec7ed0fdfbda6b9cf86c51e4f58f8e2 01d6657b388438def19c8baaea28e742b6ed32ec
Break-Fix: 97bc3633bec7ed0fdfbda6b9cf86c51e4f58f8e2 b92946e2919134ebe2a4083e4302236295ea2a73 |
|
| 2015-05-22 10:26:09 |
Mathew Hodson |
linux (Ubuntu Lucid): status |
In Progress |
Invalid |
|
| 2015-05-22 10:27:39 |
Mathew Hodson |
linux-ec2 (Ubuntu Lucid): status |
New |
Invalid |
|
| 2015-05-22 10:28:07 |
Mathew Hodson |
linux-fsl-imx51 (Ubuntu Lucid): status |
New |
Invalid |
|
