[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
port-i386/41269: Incorrect validation in firewire driver code makes it vulnerable.
>Synopsis: Incorrect validation in firewire driver code makes it
>Arrival-Date: Thu Apr 23 03:55:00 +0000 2009
>Originator: Shivam Patel
Carnegie Mellon University
Kindly refer to the following file:
Line no. 876
This line fails to validate the negative values of crom_buf->len.
Since user can provide any value to crom_buf->len, a malicious user can bypass
the if validation and can access unauthorized memory (line 880).
Please refer to the fix below.
We at CMU are researching to develop automated techniques to detect bugs due to
code-reuse. We came across this bug by running a automated program.
I hope this helps.
This is a logical validation error. See description in 'Description' Section
and its fix in the 'Fix to the problem' section.
This vulnerability can be easily fixed by replacing the line as follows:
Line no. 876
Current_line: if (crom_buf->len < len)
Possible Fix: if (crom_buf->len < len && crom_buf->len >= 0)
Similar vulnerability prevailed in the FreeBSD5.4 and below versions. It was
fixed in FreeBSD5.5 and beyond.
Refer line 715 of FreeBSD5.4 at:
Refer to the fixed version in FreeBSD5.5 (line 715) at:
Hope this helps
Main Index |
Thread Index |