Bug 113604

Summary: CAN-2004-0003 r128 DRI
Product: Red Hat Enterprise Linux 3 Reporter: Mark J. Cox <mjc>
Component: kernelAssignee: John Dennis <jdennis>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.0CC: alan, davej, mharris, petrides, riel
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-05-12 01:08:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
posted by Alan Cox on 1/14/2004
none
modified patch
none
fix missing check in 4th routine none

Description Mark J. Cox 2004-01-15 18:17:35 UTC 
Alan Cox found issues in the R128 Direct render infrastructure which
could allow local privilege escalation.

Alan posted a fix to the dri-devel sourceforge list on Jan14th

Affects: 3
Comment 3 John Dennis 2004-02-12 21:47:39 UTC 
Created attachment 97633 [details]
posted by Alan Cox on 1/14/2004
Comment 10 John Dennis 2004-02-24 21:31:15 UTC 
Created attachment 98015 [details]
modified patch

The original patch did not check for a negative count. Arbitrary hardcoded
limits which are not part of the API (e.g. in a header file) are dubious
practice. Patch is modified to test for negative values and mulitiplication
overflow, no other limits appear necessary.
Comment 12 John Dennis 2004-02-27 17:38:41 UTC 
Created attachment 98112 [details]
fix missing check in 4th routine

Eagle-eyed Ernie Petrides on the rh-kernel noted only 3 of 4 equivalent
routines had the parameter validation check applied. This new patch revision
adds the omitted check on the 4th routine.
Comment 13 Ernie Petrides 2004-03-05 20:34:45 UTC 
Just to confirm, this was committed to the RHEL3 U2 patch pool
in kernel version 2.4.21-9.15.EL.
Comment 14 John Flanagan 2004-05-12 01:08:19 UTC 
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2004-188.html