Linux Kernel USB Driver Uninitialized Structures May Disclose Kernel Memory to Local Users
|
|
SecurityTracker Alert ID: 1011078 |
|
SecurityTracker URL: http://securitytracker.com/id/1011078
|
|
CVE Reference:
CAN-2004-0685
(Links to External Site)
|
Date: Aug 27 2004
|
Impact:
Disclosure of authentication information, Disclosure of system information, Disclosure of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 2.4.27
|
Description:
A vulnerability was reported in the Linux kernel in certain USB drivers. A local user may be able to obtain kernel memory contents.
Several vendors reported that certain USB drivers in the Linux kernel use uninitialized structures and then make copy_to_user(...) kernel calls from these structures. As a result, a local user may be able to obtain uninitialized kernel memory contents.
|
Impact:
A local user may be able to obtain portions of kernel memory.
|
Solution:
A fixed kernel version (2.4.27) is available at:
http://kernel.org/
|
Cause:
Access control error, State error
|
Underlying OS:
|
|
Message History:
None.
|
Source Message Contents
|
Date: Aug 9, 2004
Subject: CAN-2004-0685
|
Several vendors reported that certain USB drivers in the Linux kernel use uninitialized
structures and then make copy_to_user(...) kernel calls from these structures. As a
result, a local user may be able to obtain uninitialized kernel memory contents.
CVE: CAN-2004-0685
|
|
