** Description changed: Currently we do not validate the vector length before calling get_user_pages_fast(), host stack could be easily overflowed by malicious guest driver who gives us a descriptors with length greater than MAX_SKB_FRAGS. A privileged guest user could use this flaw to induce stack overflow on the host with attacker non-controlled data (some bits can be guessed, as it will be pointers to kernel memory) but with attacker controlled length. + + Break-Fix: - b92946e2919134ebe2a4083e4302236295ea2a73
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/987566 Title: CVE-2012-2119 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/987566/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
