kernel vulnerability

[BruceLee]

Do I assume correctly that this kernel version patches/fixes this vulnerability as well?
[tortix-kernel] 3.2.58-66
If ASL kernel is vulnerable at all

The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the "LECHO & !OPOST" case, which allows local users to cause a denial of service (memory corruption and system crash) or gain privileges by triggering a race condition involving read and write operations with long strings.

SOURCE:
https://cve.mitre.org/cgi-bin/cvename.c ... -2014-0196
Patch:
https://git.kernel.org/cgit/linux/kerne ... 33dc3ace00
Thanks

[scott]

Any combination of KERNEXEC, UDEREF, RANDSTRUCT, or HIDESYM will prevent the published exploit from working, which have all been standard features in the ASL kernel since the beginning. So this doesn't affect ASL kernels.

Whats really unique about this is that its actually published. Historically kernel heap overflow exploits aren't often released publicly.

Gory details:
The exploit as written was designed to only work on the 3.14 to 3.14.3 kernels (fixed in 3.14.4) and is highly unreliable. Though the exploit is of low quality, this is
a high quality vulnerability and something to be concerned about in kernels 2.6.31 and up.

TL;DR: Does not affect ASL kernels. Vulnerable versions are 2.6.31-3.14.3

[BruceLee]

wonderful. thanks a lot for the quick reply and the explanation

[prupert]

TL;DR: Does not affect ASL kernels. Vulnerable versions are 2.6.31-3.14.3

Good to know: if you are using the stock RHEL / CentOS 6 kernel (which is 2.6.32-431.17.1), you are NOT vulnerable to this issue.
See https://access.redhat.com/security/cve/CVE-2014-0196

That said, the ASL kernel offers way better protection against other vulnerabilities.