Track record in vulnerability research --> 100+ vulnerabilities reported or patched for the opensource kernels. The following is an incomplete list of public references without following any propogation of patches to different vendors. ************************************ ************************************ LINUX ************************************ ************************************ http://www.linux.org.uk/diary What is Alan (Cox) doing... " July 31th Sorted out various security related stuff for Marcelo. Yes 2.4.19 fixes local security holes. Special thanks to Silvio Cesare who found a new subspecies of kernel problem in the procfs code as well as a couple of sign handling cases the Stanford checker missed. No I'm not telling you what the holes are - Americans read this diary. " ************************************ http://freshmeat.net/articles/view/539/ " Red Hat, Inc. Red Hat Security Advisory Synopsis: New kernel update available, fixes i810 video oops, several security issues Advisory ID: RHSA-2002:158-09 Issue date: 2002-07-26 Updated on: 2002-08-20 Product: Red Hat Linux ... All of the security issues found during an audit and none of them, at the time of this writing, have any known exploits. We would like to thank Silvio Cesare, Stas Sergeev, Andi Kleen, Solar Designer, and others for their auditing work. " ************************************ http://www.cs.helsinki.fi/linux/linux-kernel/2002-29/0676.html The Linux-kernel mailing list archive Linux Kernel 2.4.19rc3-ac3 " Linux 2.4.19-rc3-ac3 Alan Cox (alan@redhat.com) Tue, 23 Jul 2002 11:29:28 -0400 (EDT) [ snip ] o Fix sloppy sign handling in apm and rio500 (Silvio Cesare) " ************************************ http://www.cs.helsinki.fi/linux/linux-kernel/2002-30/0395.html 2.4.19rc3-ac4 " Linux 2.4.19-rc3-ac4 Alan Cox (alan@redhat.com) Mon, 29 Jul 2002 13:40:58 -0400 (EDT) [ snip ] o Fix missing sign check in se401 driver (Silvio Cesare) o Fix missing wrap check in usbvideo (Silvio Cesare) " ************************************ http://www.cs.helsinki.fi/linux/linux-kernel/2002-30/0626.html The Linux-kernel mailing list archive 2.4.19rc3-ac5 " Linux 2.4.19rc3-ac5 Alan Cox (alan@redhat.com) Tue, 30 Jul 2002 09:56:52 -0400 (EDT) [ snip ] o Tighten multiple length checks in intermezzo (Silvio Cesare, me) o Fix upper limit on stradis cliprects (Silvio Cesare, me) o Fix drivers/s390/dasd write limit (Silvio Cesare, me) o Fix ewrk3 and natsemi driver lengthchecks (Silvio Cesare, me) " ************************************ http://www.cs.helsinki.fi/linux/linux-kernel/2002-32/0110.html The Linux-kernel mailing list archive 2.4.20-pre2-ac4 " Linux 2.4.20-pre2-ac4 Alan Cox (alan@redhat.com) Sun, 18 Aug 2002 20:05:59 -0400 (EDT) [ snip ] o Handle wrap cases in pcilynx (Silvio Cesare, me) o Fix a wrong type in bttv-driver (Silvio Cesare, me) " ************************************ [ I typically have not posted many things to this mailing list, but have submitted reports or patches directly. There do exist some recent references however on the list itself - Silvio ] http://www.cs.helsinki.fi/linux/linux/kernel/2002-29 The Linux-kernel mailing list archive " 2.4.18 bugs silvio.cesare@hushmail.com Thu, 25 Jul 2002 12:02:37 -0700 _________________________________________________________________ 2.4.18 below are a few bugs leading to reading kernel memory using some of the usb drivers. [ snip ] -- Silvio " ************************************ http://www.cs.helsinki.fi/linux/linux/kernel/2002-31 The Linux-kernel mailing list archive " PATCH 2.4.19: drivers/video/sbusfb.c silvio.cesare@hushmail.com Tue, 6 Aug 2002 22:11:54 -0700 _________________________________________________________________ integer overflow in index + count, leading to unbounded copies. patch has not been tested or verified. -- Silvio " [ I don't have the hardware for most drivers, so it's often hard to test, or even sometimes compile - Silvio ] ************************************ ************************************ FREEBSD ************************************ ************************************ http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/kern/uipc_syscalls.c The FreeBSD CVS repository Revision 1.123 / (download) - annotate - [select for diffs], Fri Aug 9 05:50:32 2002 UTC (11 days, 4 hours ago) by rwatson Branch: MAIN Changes since 1.122: +2 -0 lines Diff to previous 1.122 (colored) Add additional range checks for copyout targets. Submitted by: Silvio Cesare *********************************** http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/i386/isa/vesa.c The FreeBSD CVS repository Revision 1.37 / (download) - annotate - [select for diffs], Fri Aug 9 05:50:31 2002 UTC (11 days, 4 hours ago) by rwatson Branch: MAIN CVS Tags: HEAD Changes since 1.36: +4 -2 lines Diff to previous 1.36 (colored) Add additional range checks for copyout targets. Submitted by: Silvio Cesare *********************************** FreeBSD-SA-02:38.signed-error Security Advisory The FreeBSD Project Topic: Boundary checking errors involving signed integers Category: core Module: sys Announced: 2002-08-19 Credits: Silvio Cesare Affects: All releases of FreeBSD up to and including 4.6.1-RELEASE-p10 Corrected: 2002-08-13 02:42:32 UTC (RELENG_4) 2002-08-13 12:12:36 UTC (RELENG_4_6) 2002-08-13 12:13:05 UTC (RELENG_4_5) 2002-08-13 12:13:49 UTC (RELENG_4_4) FreeBSD only: YES [ snip ] ********************************** ********************************** OPENBSD ********************************** ********************************** http://www.squish.net/pipermail/owc/2002-August/00380.html The OpenBSD weekly src changes [ending 2002-08-04] [ snip ] arch/amiga/dev ~ grf_cl.c ~ grf_cv.c ~ grf_et.c ~ grf_rh.c ~ grf_rt.c ~ grf_ul.c ~ view.c > Do correct bounds checking in get/set/put cmap routines. A few of > these check were already OK but have been modified for consistency. > Problem found by Silvio Cesare. arch/hp300/hp300 ~ hpux_machdep.c > In hpux_sys_getcontext(), check for len <= 0 and return EINVAL. > Noted by Silvio Cesare [ snip ] ~ vgafb.c > Do correct bounds checking in get/set/put cmap routines. A few of > these check were already OK but have been modified for consistency. > Problem found by Silvio Cesare. [ snip ] arch/sparc/dev ~ bt_subr.c ~ cgtwo.c ~ cgfourteen.c > Do correct bounds checking in get/set/put cmap routines. A few of > these check were already OK but have been modified for consistency. > Problem found by Silvio Cesare. [ snip ] ~ vgafb.c > Do correct bounds checking in get/set/put cmap routines. A few of > these check were already OK but have been modified for consistency. > Problem found by Silvio Cesare. [ snip ] arch/sun3/dev ~ bt_subr.c ~ cg2.c ~ cg4.c > Do correct bounds checking in get/set/put cmap routines. A few of > these check were already OK but have been modified for consistency. > Problem found by Silvio Cesare. [ snip ] compat/hpux ~ hpux_compat.c > More possible int overflows found by Silvio Cesare. > ibcs2_stat.c one OK by provos@ compat/ibcs2 ~ ibcs2_stat.c > More possible int overflows found by Silvio Cesare. > ibcs2_stat.c one OK by provos@ [ snip ] ~ bt463.c ~ bt485.c ~ ibm561.c > Do correct bounds checking in get/set/put cmap routines. A few of > these check were already OK but have been modified for consistency. > Problem found by Silvio Cesare. [ snip ] ~ cgsix.c ~ cgthree.c > Do correct bounds checking in get/set/put cmap routines. A few of > these check were already OK but have been modified for consistency. > Problem found by Silvio Cesare. [ snip ] ufs/lfs ~ lfs_syscalls.c > More possible int overflows found by Silvio Cesare. > ibcs2_stat.c one OK by provos@ ********************************** ********************************** NETBSD ********************************** ********************************** http://cvsweb.netbsd.org The NetBSD CVS repository. [ The fixes that propogated from OpenBSD have been excluded here - Silvio ] syssrc/sys/arch/lun68k/dev/lunafb.c Revision 1.7.6.1 / (download) - annotate - [select for diffs], Wed Aug 7 01:48:34 2002 UTC (13 days, 8 hours ago) by lukem Branch: netbsd-1-6 CVS Tags: netbsd-1-6-RC1 Changes since 1.7: +3 -3 lines Diff to previous 1.7 (colored) next main 1.8 (colored) Pull up revision 1.9 (requested by itojun in ticket #616): integer overflow. from silvio@qualys.com -- syssrc/sys/arch/arm/iomd/vidcvideo.c Revision 1.14 / (download) - annotate - [select for diffs], Tue Aug 6 22:46:11 2002 UTC (13 days, 11 hours ago) by itojun Branch: MAIN CVS Tags: nathanw_sa_newbase, nathanw_sa_base, HEAD Changes since 1.13: +3 -3 lines Diff to previous 1.13 (colored) integer overflow. from silvio@qualys.com -- syssrc/sys/arch/amiga/dev/grf_cv3d.c Revision 1.11 / (download) - annotate - [select for diffs], Tue Aug 6 22:44:38 2002 UTC (13 days, 11 hours ago) by itojun Branch: MAIN CVS Tags: nathanw_sa_newbase, HEAD Changes since 1.10: +3 -3 lines Diff to previous 1.10 (colored) integer overflow. reported by silvio@qualys.com -- syssrc/sys/compat/ibcs2/ibcs2_stat.c Revision 1.21 / (download) - annotate - [select for diffs], Tue Aug 6 22:50:37 2002 UTC (13 days, 11 hours ago) by itojun Branch: MAIN Changes since 1.20: +8 -3 lines Diff to previous 1.20 (colored) buffer len check. from silvio@qualys.com -- syssrc/sys/dev/sun/bt_subr.c Revision 1.3 / (download) - annotate - [select for diffs], Tue Aug 6 22:51:45 2002 UTC (13 days, 11 hours ago) by itojun Branch: MAIN CVS Tags: nathanw_sa_newbase, HEAD Changes since 1.2: +3 -3 lines Diff to previous 1.2 (colored) integer overflow. from silvio@qualys.com -- syssrc/sys/dev/tc/cfb.c Revision 1.34 / (download) - annotate - [select for diffs], Tue Aug 6 22:52:30 2002 UTC (13 days, 11 hours ago) by itojun Branch: MAIN CVS Tags: nathanw_sa_newbase Changes since 1.33: +3 -3 lines Diff to previous 1.33 (colored) integer overflow. from silvio@qualys.com -- syssrc/sys/dev/tc/sfb.c Revision 1.53 / (download) - annotate - [select for diffs], Tue Aug 6 22:52:30 2002 UTC (13 days, 11 hours ago) by itojun Branch: MAIN CVS Tags: nathanw_sa_newbase Changes since 1.52: +3 -3 lines Diff to previous 1.52 (colored) integer overflow. from silvio@qualys.com -- syssrc/sys/dev/tc/xcfb.c Revision 1.29 / (download) - annotate - [select for diffs], Tue Aug 6 22:52:53 2002 UTC (13 days, 11 hours ago) by itojun Branch: MAIN CVS Tags: nathanw_sa_newbase Changes since 1.28: +3 -3 lines Diff to previous 1.28 (colored) integer overflow. from silvio@qualys.com -- syssrc/sys/arch/hpcmips/dev/ite8181.c Revision 1.17 / (download) - annotate - [select for diffs], Tue Aug 6 22:53:37 2002 UTC (13 days, 11 hours ago) by itojun Branch: MAIN CVS Tags: nathanw_sa_newbase, HEAD Changes since 1.16: +2 -2 lines Diff to previous 1.16 (colored) integer overflow. from silvio@qualys.com -- syssrc/sys/arch/hpcmips/dev/mq200.c Revision 1.21 / (download) - annotate - [select for diffs], Tue Aug 6 22:54:00 2002 UTC (13 days, 11 hours ago) by itojun Branch: MAIN CVS Tags: nathanw_sa_newbase, HEAD Changes since 1.20: +2 -2 lines Diff to previous 1.20 (colored) integer overflow. from silvio@qualys.com -- syssrc/sys/arch/i386/i386/sys_machdep.c Revision 1.64 / (download) - annotate - [select for diffs], Tue Aug 6 22:47:44 2002 UTC (13 days, 12 hours ago) by itojun Branch: MAIN CVS Tags: sommerfeld_i386mpnext, sommerfeld_i386mpbase_1, nathanw_sa_newbase, HEAD Changes since 1.63: +4 -5 lines Diff to previous 1.63 (colored) integer overflow. from silvio@qualys.com --