Red Hat Bugzilla – Bug 491787
CVE-2009-1046 kernel: utf8 selection memory corruption
Last modified: 2009-07-04 12:27:36 EDT
Fix an off-by-two memory error in console selection.
The loop below goes from sel_start to sel_end (inclusive), so it writes one more character. This one more character was added to the allocated size (+1), but it was not multiplied by an UTF-8 multiplier.
This patch fixes a memory corruption when UTF-8 console is used and the user selects a few characters, all of them 3-byte in UTF-8 (for example a frame line).
When memory redzones are enabled, a redzone corruption is reported. When they are not enabled, trashing of random memory occurs.
Created attachment 336418 [details]
CVSS2 score of medium, 4.7 (AV:L/AC:M/Au:N/C:N/I:N/A:C)
The attacker needs to be at console to exploit this.
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1046 to
The console selection feature in the Linux kernel 2.6.28 before
184.108.40.206, 2.6.25, and possibly earlier versions, when the UTF-8
console is used, allows physically proximate attackers to cause a
denial of service (memory corruption) by selecting a small number of
3-byte UTF-8 characters, which triggers an "an off-by-two memory
error." NOTE: it is not clear whether this issue crosses privilege
This issue has been addressed in following products:
MRG for RHEL-5
Via RHSA-2009:0451 https://rhn.redhat.com/errata/RHSA-2009-0451.html