Description of problem:
Struct ca is copied from userspace. It is not checked whether the "device"
field is NULL terminated. This potentially leads to BUG() inside of
alloc_netdev_mqs() and/or information leak by creating a device with a name
made of contents of kernel stack.
References:
http://seclists.org/oss-sec/2011/q1/309https://lkml.org/lkml/2011/2/14/50
Acknowledgements:
Red Hat would like to thank Vasiliy Kulikov of Openwall for reporting this issue.
Comment 3Eugene Teo (Security Response)
2011-04-11 04:03:31 UTC