Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com
☎ 03 60 47 09 81 - info@securiteinfo.com
In the Linux kernel, the following vulnerability has been resolved:drivers/rapidio/rio_cm.c: prevent possible heap overwriteInriocm_cdev_ioctl(RIO_CM_CHAN_SEND) -> cm_chan_msg_send() -> riocm_ch_send()cm_chan_msg_send() checks that userspace didn't send too much data butriocm_ch_send() failed to check that userspace sent sufficient data. Theresult is that riocm_ch_send() can write to fields in the rio_ch_chan_hdrwhich were outside the bounds of the space which cm_chan_msg_send()allocated.Address this by teaching riocm_ch_send() to check that the entirerio_ch_chan_hdr was copied in from userspace.
No PoCs from references.
- https://github.com/w4zu/Debian_security