** Description changed: - Description from the commit: The ghash_update function passes a pointer - to gf128mul_4k_lle which will be NULL if ghash_setkey is not called or - if the most recent call to ghash_setkey failed to allocate memory. This - causes an oops. Fix this up by returning an error code in the null - case. This is trivially triggered from unprivileged userspace through - the AF_ALG interface by simply writing to the socket without setting a - key. The ghash_final function has a similar issue, but triggering it - requires a memory allocation failure in ghash_setkey _after_ at least - one successful call to ghash_update. + crypto/ghash-generic.c in the Linux kernel before 3.1 allows local users + to cause a denial of service (NULL pointer dereference and OOPS) or + possibly have unspecified other impact by triggering a failed or missing + ghash_setkey function call, followed by a (1) ghash_update function call + or (2) ghash_final function call, as demonstrated by a write operation + on an AF_ALG socket. Break-Fix: 2cdc6899a88e2b9c6cb82ebd547bf58932d534df 7ed47b7d142ec99ad6880bbbec51e9f12b3af74c
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/887299 Title: CVE-2011-4081 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/887299/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
