[Bug 987566] Re: CVE-2012-2119

[Mathew Hodson]

** Description changed:

- Currently we do not validate the vector length before calling
- get_user_pages_fast(), host stack could be easily overflowed by
- malicious guest driver who gives us a descriptors with length greater
- than MAX_SKB_FRAGS.  A privileged guest user could use this flaw to
- induce stack overflow on the host with attacker non-controlled data
- (some bits can be guessed, as it will be pointers to kernel memory) but
- with attacker controlled length.
+ Buffer overflow in the macvtap device driver in the Linux kernel before
+ 3.4.5, when running in certain configurations, allows privileged KVM guest
+ users to cause a denial of service (crash) via a long descriptor with a
+ long vector length.
  
- Break-Fix: 97bc3633bec7ed0fdfbda6b9cf86c51e4f58f8e2 - 
3afc9621f15701c557e60f61eba9242bac2771dd
- Break-Fix: 97bc3633bec7ed0fdfbda6b9cf86c51e4f58f8e2 - 
4ef67ebedffa44ed9939b34708ac2fee06d2f65f
- Break-Fix: 97bc3633bec7ed0fdfbda6b9cf86c51e4f58f8e2 - 
02ce04bb3d28c3333231f43bca677228dbc686fe
- Break-Fix: 97bc3633bec7ed0fdfbda6b9cf86c51e4f58f8e2 - 
01d6657b388438def19c8baaea28e742b6ed32ec
- Break-Fix: 97bc3633bec7ed0fdfbda6b9cf86c51e4f58f8e2 - 
b92946e2919134ebe2a4083e4302236295ea2a73
+ Break-Fix: 97bc3633bec7ed0fdfbda6b9cf86c51e4f58f8e2 
3afc9621f15701c557e60f61eba9242bac2771dd
+ Break-Fix: 97bc3633bec7ed0fdfbda6b9cf86c51e4f58f8e2 
4ef67ebedffa44ed9939b34708ac2fee06d2f65f
+ Break-Fix: 97bc3633bec7ed0fdfbda6b9cf86c51e4f58f8e2 
02ce04bb3d28c3333231f43bca677228dbc686fe
+ Break-Fix: 97bc3633bec7ed0fdfbda6b9cf86c51e4f58f8e2 
01d6657b388438def19c8baaea28e742b6ed32ec
+ Break-Fix: 97bc3633bec7ed0fdfbda6b9cf86c51e4f58f8e2 
b92946e2919134ebe2a4083e4302236295ea2a73

** Changed in: linux (Ubuntu Lucid)
       Status: In Progress => Invalid

** Changed in: linux-ec2 (Ubuntu Lucid)
       Status: New => Invalid

** Changed in: linux-fsl-imx51 (Ubuntu Lucid)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/987566

Title:
  CVE-2012-2119

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/987566/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs