The sg_build_indirect function in drivers/scsi/sg.c in Linux kernel 2.6.28-rc1 up to and including 2.6.31-rc8 uses an incorrect variable when accessing an array, which allows local users to cause a denial of service (kernel OOPS and NULL pointer dereference), as demonstrated by using xcdroast to duplicate a CD. NOTE: this is only exploitable by users who can open the cdrom device.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
linux linux kernel 2.6.31-rc2 |
||
linux linux kernel 2.6.31-rc3 |
||
linux linux kernel 2.6.31-rc4 |
||
linux linux kernel 2.6.31-rc5 |
||
linux linux kernel 2.6.31-rc6 |
||
kernel linux kernel 2.6.28-rc1 |
||
linux linux kernel 2.6.31-rc9 |
||
linux linux kernel 2.6.31-rc10 |
||
linux linux kernel 2.6.31-rc7 |
||
linux linux kernel 2.6.31-rc8 |