Name |
Description |
CVE-2018-17972 |
An issue was discovered in the proc_pid_stack function in
fs/proc/base.c in the Linux kernel through 4.18.11. It does not ensure
that only root may inspect the kernel stack of an arbitrary task,
allowing a local attacker to exploit racy stack unwinding and leak
kernel task stack contents.
|
CVE-2017-9701 |
In android for MSM, Firefox OS for MSM, QRD Android, with all Android
releases from CAF using the Linux kernel, while processing OEM
unlock/unlock-go fastboot commands data leak may occur, resulting from
writing uninitialized stack structure to non-volatile memory.
|
CVE-2017-15824 |
In Android releases from CAF using the linux kernel (Android for MSM,
Firefox OS for MSM, QRD Android) before security patch level
2018-06-05, the function UpdateDeviceStatus() writes a local stack
buffer without initialization to flash memory using WriteToPartition()
which may potentially leak memory.
|
CVE-2017-1000410 |
The Linux kernel version 3.3-rc1 and later is affected by a
vulnerability lies in the processing of incoming L2CAP commands -
ConfigRequest, and ConfigResponse messages. This info leak is a result
of uninitialized stack variables that may be returned to an attacker
in their uninitialized state. By manipulating the code flows that
precede the handling of these configuration messages, an attacker can
also gain some control over which data will be held in the
uninitialized stack variables. This can allow him to bypass KASLR, and
stack canaries protection - as both pointers and stack canaries may be
leaked in this manner. Combining this vulnerability (for example) with
the previously disclosed RCE vulnerability in L2CAP configuration
parsing (CVE-2017-1000251) may allow an attacker to exploit the RCE
against kernels which were built with the above mitigations. These are
the specifics of this vulnerability: In the function
l2cap_parse_conf_rsp and in the function l2cap_parse_conf_req the
following variable is declared without initialization: struct
l2cap_conf_efs efs; In addition, when parsing input configuration
parameters in both of these functions, the switch case for handling
EFS elements may skip the memcpy call that will write to the efs
variable: ... case L2CAP_CONF_EFS: if (olen == sizeof(efs))
memcpy(&efs, (void *)val, olen); ... The olen in the above if is
attacker controlled, and regardless of that if, in both of these
functions the efs variable would eventually be added to the outgoing
configuration request that is being built: l2cap_add_conf_opt(&ptr,
L2CAP_CONF_EFS, sizeof(efs), (unsigned long) &efs); So by sending a
configuration request, or response, that contains an L2CAP_CONF_EFS
element, but with an element length that is not sizeof(efs) - the
memcpy to the uninitialized efs variable can be avoided, and the
uninitialized variable would be returned to the attacker (16 bytes).
|
CVE-2016-4578 |
sound/core/timer.c in the Linux kernel through 4.6 does not initialize
certain r1 data structures, which allows local users to obtain
sensitive information from kernel stack memory via crafted use of the
ALSA timer interface, related to the (1) snd_timer_user_ccallback and
(2) snd_timer_user_tinterrupt functions.
|
CVE-2016-4569 |
The snd_timer_user_params function in sound/core/timer.c in the Linux
kernel through 4.6 does not initialize a certain data structure, which
allows local users to obtain sensitive information from kernel stack
memory via crafted use of the ALSA timer interface.
|
CVE-2016-4486 |
The rtnl_fill_link_ifmap function in net/core/rtnetlink.c in the Linux
kernel before 4.5.5 does not initialize a certain data structure,
which allows local users to obtain sensitive information from kernel
stack memory by reading a Netlink message.
|
CVE-2016-4485 |
The llc_cmsg_rcv function in net/llc/af_llc.c in the Linux kernel
before 4.5.5 does not initialize a certain data structure, which
allows attackers to obtain sensitive information from kernel stack
memory by reading a message.
|
CVE-2016-4482 |
The proc_connectinfo function in drivers/usb/core/devio.c in the Linux
kernel through 4.6 does not initialize a certain data structure, which
allows local users to obtain sensitive information from kernel stack
memory via a crafted USBDEVFS_CONNECTINFO ioctl call.
|
CVE-2013-6392 |
The genlock_dev_ioctl function in genlock.c in the Genlock driver for
the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC)
Android contributions for MSM devices and other products, does not
properly initialize a certain data structure, which allows local users
to obtain sensitive information from kernel stack memory via a crafted
GENLOCK_IOC_EXPORT ioctl call.
|
CVE-2013-3237 |
The vsock_stream_sendmsg function in net/vmw_vsock/af_vsock.c in the
Linux kernel before 3.9-rc7 does not initialize a certain length
variable, which allows local users to obtain sensitive information
from kernel stack memory via a crafted recvmsg or recvfrom system
call.
|
CVE-2013-3236 |
The vmci_transport_dgram_dequeue function in
net/vmw_vsock/vmci_transport.c in the Linux kernel before 3.9-rc7 does
not properly initialize a certain length variable, which allows local
users to obtain sensitive information from kernel stack memory via a
crafted recvmsg or recvfrom system call.
|
CVE-2013-3235 |
net/tipc/socket.c in the Linux kernel before 3.9-rc7 does not
initialize a certain data structure and a certain length variable,
which allows local users to obtain sensitive information from kernel
stack memory via a crafted recvmsg or recvfrom system call.
|
CVE-2013-3234 |
The rose_recvmsg function in net/rose/af_rose.c in the Linux kernel
before 3.9-rc7 does not initialize a certain data structure, which
allows local users to obtain sensitive information from kernel stack
memory via a crafted recvmsg or recvfrom system call.
|
CVE-2013-3233 |
The llcp_sock_recvmsg function in net/nfc/llcp/sock.c in the Linux
kernel before 3.9-rc7 does not initialize a certain length variable
and a certain data structure, which allows local users to obtain
sensitive information from kernel stack memory via a crafted recvmsg
or recvfrom system call.
|
CVE-2013-3232 |
The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel
before 3.9-rc7 does not initialize a certain data structure, which
allows local users to obtain sensitive information from kernel stack
memory via a crafted recvmsg or recvfrom system call.
|
CVE-2013-3231 |
The llc_ui_recvmsg function in net/llc/af_llc.c in the Linux kernel
before 3.9-rc7 does not initialize a certain length variable, which
allows local users to obtain sensitive information from kernel stack
memory via a crafted recvmsg or recvfrom system call.
|
CVE-2013-3230 |
The l2tp_ip6_recvmsg function in net/l2tp/l2tp_ip6.c in the Linux
kernel before 3.9-rc7 does not initialize a certain structure member,
which allows local users to obtain sensitive information from kernel
stack memory via a crafted recvmsg or recvfrom system call.
|
CVE-2013-3229 |
The iucv_sock_recvmsg function in net/iucv/af_iucv.c in the Linux
kernel before 3.9-rc7 does not initialize a certain length variable,
which allows local users to obtain sensitive information from kernel
stack memory via a crafted recvmsg or recvfrom system call.
|
CVE-2013-3228 |
The irda_recvmsg_dgram function in net/irda/af_irda.c in the Linux
kernel before 3.9-rc7 does not initialize a certain length variable,
which allows local users to obtain sensitive information from kernel
stack memory via a crafted recvmsg or recvfrom system call.
|
CVE-2013-3227 |
The caif_seqpkt_recvmsg function in net/caif/caif_socket.c in the
Linux kernel before 3.9-rc7 does not initialize a certain length
variable, which allows local users to obtain sensitive information
from kernel stack memory via a crafted recvmsg or recvfrom system
call.
|
CVE-2013-3226 |
The sco_sock_recvmsg function in net/bluetooth/sco.c in the Linux
kernel before 3.9-rc7 does not initialize a certain length variable,
which allows local users to obtain sensitive information from kernel
stack memory via a crafted recvmsg or recvfrom system call.
|
CVE-2013-3225 |
The rfcomm_sock_recvmsg function in net/bluetooth/rfcomm/sock.c in the
Linux kernel before 3.9-rc7 does not initialize a certain length
variable, which allows local users to obtain sensitive information
from kernel stack memory via a crafted recvmsg or recvfrom system
call.
|
CVE-2013-3224 |
The bt_sock_recvmsg function in net/bluetooth/af_bluetooth.c in the
Linux kernel before 3.9-rc7 does not properly initialize a certain
length variable, which allows local users to obtain sensitive
information from kernel stack memory via a crafted recvmsg or recvfrom
system call.
|
CVE-2013-3223 |
The ax25_recvmsg function in net/ax25/af_ax25.c in the Linux kernel
before 3.9-rc7 does not initialize a certain data structure, which
allows local users to obtain sensitive information from kernel stack
memory via a crafted recvmsg or recvfrom system call.
|
CVE-2013-3222 |
The vcc_recvmsg function in net/atm/common.c in the Linux kernel
before 3.9-rc7 does not initialize a certain length variable, which
allows local users to obtain sensitive information from kernel stack
memory via a crafted recvmsg or recvfrom system call.
|
CVE-2013-3076 |
The crypto API in the Linux kernel through 3.9-rc8 does not initialize
certain length variables, which allows local users to obtain sensitive
information from kernel stack memory via a crafted recvmsg or recvfrom
system call, related to the hash_recvmsg function in
crypto/algif_hash.c and the skcipher_recvmsg function in
crypto/algif_skcipher.c.
|
CVE-2013-2635 |
The rtnl_fill_ifinfo function in net/core/rtnetlink.c in the Linux
kernel before 3.8.4 does not initialize a certain structure member,
which allows local users to obtain sensitive information from kernel
stack memory via a crafted application.
|
CVE-2013-2634 |
net/dcb/dcbnl.c in the Linux kernel before 3.8.4 does not initialize
certain structures, which allows local users to obtain sensitive
information from kernel stack memory via a crafted application.
|
CVE-2013-2546 |
The report API in the crypto user configuration API in the Linux
kernel through 3.8.2 uses an incorrect C library function for copying
strings, which allows local users to obtain sensitive information from
kernel stack memory by leveraging the CAP_NET_ADMIN capability.
|
CVE-2013-2239 |
vzkernel before 042stab080.2 in the OpenVZ modification for the Linux
kernel 2.6.32 does not initialize certain length variables, which
allows local users to obtain sensitive information from kernel stack
memory via (1) a crafted ploop driver ioctl call, related to the
ploop_getdevice_ioc function in drivers/block/ploop/dev.c, or (2) a
crafted quotactl system call, related to the compat_quotactl function
in fs/quota/quota.c.
|
CVE-2013-1928 |
The do_video_set_spu_palette function in fs/compat_ioctl.c in the
Linux kernel before 3.6.5 on unspecified architectures lacks a certain
error check, which might allow local users to obtain sensitive
information from kernel stack memory via a crafted
VIDEO_SET_SPU_PALETTE ioctl call on a /dev/dvb device.
|
CVE-2012-6547 |
The __tun_chr_ioctl function in drivers/net/tun.c in the Linux kernel
before 3.6 does not initialize a certain structure, which allows local
users to obtain sensitive information from kernel stack memory via a
crafted application.
|
CVE-2012-6546 |
The ATM implementation in the Linux kernel before 3.6 does not
initialize certain structures, which allows local users to obtain
sensitive information from kernel stack memory via a crafted
application.
|
CVE-2012-6544 |
The Bluetooth protocol stack in the Linux kernel before 3.6 does not
properly initialize certain structures, which allows local users to
obtain sensitive information from kernel stack memory via a crafted
application that targets the (1) L2CAP or (2) HCI implementation.
|
CVE-2012-6543 |
The l2tp_ip6_getname function in net/l2tp/l2tp_ip6.c in the Linux
kernel before 3.6 does not initialize a certain structure member,
which allows local users to obtain sensitive information from kernel
stack memory via a crafted application.
|
CVE-2012-6542 |
The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel
before 3.6 has an incorrect return value in certain circumstances,
which allows local users to obtain sensitive information from kernel
stack memory via a crafted application that leverages an uninitialized
pointer argument.
|
CVE-2012-6541 |
The ccid3_hc_tx_getsockopt function in net/dccp/ccids/ccid3.c in the
Linux kernel before 3.6 does not initialize a certain structure, which
allows local users to obtain sensitive information from kernel stack
memory via a crafted application.
|
CVE-2012-6540 |
The do_ip_vs_get_ctl function in net/netfilter/ipvs/ip_vs_ctl.c in the
Linux kernel before 3.6 does not initialize a certain structure for
IP_VS_SO_GET_TIMEOUT commands, which allows local users to obtain
sensitive information from kernel stack memory via a crafted
application.
|
CVE-2012-6539 |
The dev_ifconf function in net/socket.c in the Linux kernel before 3.6
does not initialize a certain structure, which allows local users to
obtain sensitive information from kernel stack memory via a crafted
application.
|
CVE-2012-3430 |
The rds_recvmsg function in net/rds/recv.c in the Linux kernel before
3.0.44 does not initialize a certain structure member, which allows
local users to obtain potentially sensitive information from kernel
stack memory via a (1) recvfrom or (2) recvmsg system call on an RDS
socket.
|
CVE-2012-0957 |
The override_release function in kernel/sys.c in the Linux kernel
before 3.4.16 allows local users to obtain sensitive information from
kernel stack memory via a uname system call in conjunction with a
UNAME26 personality.
|
CVE-2010-3881 |
arch/x86/kvm/x86.c in the Linux kernel before 2.6.36.2 does not
initialize certain structure members, which allows local users to
obtain potentially sensitive information from kernel stack memory via
read operations on the /dev/kvm device.
|
CVE-2010-3877 |
The get_name function in net/tipc/socket.c in the Linux kernel before
2.6.37-rc2 does not initialize a certain structure, which allows local
users to obtain potentially sensitive information from kernel stack
memory by reading a copy of this structure.
|
CVE-2010-3876 |
net/packet/af_packet.c in the Linux kernel before 2.6.37-rc2 does not
properly initialize certain structure members, which allows local
users to obtain potentially sensitive information from kernel stack
memory by leveraging the CAP_NET_RAW capability to read copies of the
applicable structures.
|
CVE-2010-3875 |
The ax25_getname function in net/ax25/af_ax25.c in the Linux kernel
before 2.6.37-rc2 does not initialize a certain structure, which
allows local users to obtain potentially sensitive information from
kernel stack memory by reading a copy of this structure.
|
CVE-2010-3078 |
The xfs_ioc_fsgetxattr function in fs/xfs/linux-2.6/xfs_ioctl.c in the
Linux kernel before 2.6.36-rc4 does not initialize a certain structure
member, which allows local users to obtain potentially sensitive
information from kernel stack memory via an ioctl call.
|
CVE-2009-2847 |
The do_sigaltstack function in kernel/signal.c in Linux kernel 2.4
through 2.4.37 and 2.6 before 2.6.31-rc5, when running on 64-bit
systems, does not clear certain padding bytes from a structure, which
allows local users to obtain sensitive information from the kernel
stack via the sigaltstack function.
|
CVE-2003-0418 |
The Linux 2.0 kernel IP stack does not properly calculate the size of
an ICMP citation, which causes it to include portions of unauthorized
memory in ICMP error responses.
|