Description of the problem:
A buffer overrun flaw was found in kernels from 3.0 to 3.4 when calling
log_prefix() function from call_console_drivers().
In log_prefix(), the access to "p[1]", "p[2]" or
"simple_strtoul(&p[1], &endp, 10)" may cause a buffer overflow as this
function is called from call_console_drivers by passing "&LOG_BUF(cur_index)"
where the index must be masked to do not exceed the buffer's boundary.
A local user able to write to /dev/kmsg could use this flaw to crash the
system.
Note: /dev/kmsg is root writable only (at least on RHEL/Fedora), but it
still might cause issues in restricted root environments.
References:
https://bugs.gentoo.org/458780https://secunia.com/advisories/52366/
Statement:
This issue did not affect the versions of kernel package as shipped with Red Hat Enterprise Linux 5 and 6. Future kernel updates for Red Hat Enterprise MRG 2 may address this flaw.
Description of the problem: A buffer overrun flaw was found in kernels from 3.0 to 3.4 when calling log_prefix() function from call_console_drivers(). In log_prefix(), the access to "p[1]", "p[2]" or "simple_strtoul(&p[1], &endp, 10)" may cause a buffer overflow as this function is called from call_console_drivers by passing "&LOG_BUF(cur_index)" where the index must be masked to do not exceed the buffer's boundary. A local user able to write to /dev/kmsg could use this flaw to crash the system. Note: /dev/kmsg is root writable only (at least on RHEL/Fedora), but it still might cause issues in restricted root environments. References: https://bugs.gentoo.org/458780 https://secunia.com/advisories/52366/