Bugzilla – Bug 850934
VUL-1: CVE-2013-6282: kernel: arm: Missing access checks in put_user/get_user kernel API
Last modified: 2016-04-27 19:10:35 UTC
CVE-2013-6282 The get_user and put_user API functions of the Linux kernel fail to validate the target address when being used on ARM v6k/v7 platforms. This functionality was originally implemented and controlled by the domain switching feature (CONFIG_CPU_USE_DOMAINS), which has been deprecated due to architectural changes. As a result, any kernel code using these API functions may introduce a security issue where none existed before. This allows an application to read and write kernel memory to, e.g., escalated privileges. References: https://www.codeaurora.org/projects/security-advisories/missing-access-checks-putusergetuser-kernel-api-cve-2013-6282 https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/arch/arm/include/asm/uaccess.h?id=8404663f81d212918ff85f493649a7991209fa04 http://comments.gmane.org/gmane.comp.security.oss.general/11487
bugbot adjusting priority
as it seems fixed before we even shipped arm stuff, it does not affect us.
Affected packages: SLE-11-SP3: kernel-source SLE-11-SP2: kernel-source SLE-10-SP3-TERADATA: kernel-source SLE-9-SP3-TERADATA: kernel-source SLE-10-SP4: kernel-source SLE-9-SP4: kernel-source SLE-11-SP1-TERADATA: kernel-source