Fix an off-by-two memory error in console selection. The loop below goes from sel_start to sel_end (inclusive), so it writes one more character. This one more character was added to the allocated size (+1), but it was not multiplied by an UTF-8 multiplier. This patch fixes a memory corruption when UTF-8 console is used and the user selects a few characters, all of them 3-byte in UTF-8 (for example a frame line). When memory redzones are enabled, a redzone corruption is reported. When they are not enabled, trashing of random memory occurs.
Created attachment 336418 [details] Upstream patch http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=878b8619f711280fd05845e21956434b5e588cc4
CVSS2 score of medium, 4.7 (AV:L/AC:M/Au:N/C:N/I:N/A:C) The attacker needs to be at console to exploit this.
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1046 to this vulnerability: The console selection feature in the Linux kernel 2.6.28 before 2.6.28.4, 2.6.25, and possibly earlier versions, when the UTF-8 console is used, allows physically proximate attackers to cause a denial of service (memory corruption) by selecting a small number of 3-byte UTF-8 characters, which triggers an "an off-by-two memory error." NOTE: it is not clear whether this issue crosses privilege boundaries. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1046 http://lists.openwall.net/linux-kernel/2009/01/30/333 http://lists.openwall.net/linux-kernel/2009/02/02/364 http://www.openwall.com/lists/oss-security/2009/02/12/10 http://www.openwall.com/lists/oss-security/2009/02/12/11 http://www.openwall.com/lists/oss-security/2009/02/12/9 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.28.4 http://www.securityfocus.com/bid/33672
This issue has been addressed in following products: MRG for RHEL-5 Via RHSA-2009:0451 https://rhn.redhat.com/errata/RHSA-2009-0451.html