** Description changed: Currently we do not validate the vector length before calling get_user_pages_fast(), host stack could be easily overflowed by malicious guest driver who gives us a descriptors with length greater than MAX_SKB_FRAGS. A privileged guest user could use this flaw to induce stack overflow on the host with attacker non-controlled data (some bits can be guessed, as it will be pointers to kernel memory) but with attacker controlled length. - Break-Fix: - b92946e2919134ebe2a4083e4302236295ea2a73 + Break-Fix: 97bc3633bec7ed0fdfbda6b9cf86c51e4f58f8e2 - 3afc9621f15701c557e60f61eba9242bac2771dd + Break-Fix: 97bc3633bec7ed0fdfbda6b9cf86c51e4f58f8e2 - 4ef67ebedffa44ed9939b34708ac2fee06d2f65f + Break-Fix: 97bc3633bec7ed0fdfbda6b9cf86c51e4f58f8e2 - 02ce04bb3d28c3333231f43bca677228dbc686fe + Break-Fix: 97bc3633bec7ed0fdfbda6b9cf86c51e4f58f8e2 - 01d6657b388438def19c8baaea28e742b6ed32ec + Break-Fix: 97bc3633bec7ed0fdfbda6b9cf86c51e4f58f8e2 - b92946e2919134ebe2a4083e4302236295ea2a73
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/987566 Title: CVE-2012-2119 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/987566/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
