Bug 127258

Summary: CAN-2004-0619 Broadcom 5820 integer overflow
Product: Red Hat Enterprise Linux 3 Reporter: Mark J. Cox <mjc>
Component: kernelAssignee: John W. Linville <linville>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.0CC: jgarzik, k.georgiou, peterm, petrides, redhat-bugzilla, riel
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://marc.theaimsgroup.com/?l=bugtraq&m=108802653409053
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-12-02 11:35:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
bcm5820-security-fix.patch
none
bcm5820-fixes.patch
none
bcm5820-better-fixes.patch none

Description Mark J. Cox 2004-07-05 11:12:12 UTC 
Reported to Bugtraq on Jun23.  

An integer overflow in the ubsec_keysetup function for Linux Broadcom
5820 cryptonet driver allows local users to cause a denial of service
(crash) and possibly execute arbitrary code via a negative
add_dsa_buf_bytes variable, which leads to a buffer overflow.

See also http://secunia.com/advisories/11936/

(Only -unsupported in hugemem)
Comment 2 John W. Linville 2004-07-15 19:07:18 UTC 
Changing platform to "All" as I don't see anything CPU-specific about
this...
Comment 5 John W. Linville 2004-07-16 18:18:59 UTC 
Created attachment 101977 [details]
bcm5820-security-fix.patch

I think this patch is "obviously correct" for fixing this problem...needs
testing, of course...
Comment 6 John W. Linville 2004-07-16 18:21:20 UTC 
No luck so far at tracking-down a card for testing...would be eager to
hear of any test results, from anyone so equipped...
Comment 9 John W. Linville 2004-07-28 13:38:38 UTC 
Created attachment 102247 [details]
bcm5820-fixes.patch

This patch includes previous security patch plus some other "cleanup" fixes...
Comment 10 John W. Linville 2004-07-28 19:41:12 UTC 
Created attachment 102263 [details]
bcm5820-better-fixes.patch

Slightly enhance version of previous patch...
Comment 12 Ernie Petrides 2004-09-04 00:39:35 UTC 
A fix for this problem has just been committed to the RHEL3 U4
patch pool this evening (in kernel version 2.4.21-20.3.EL).
Comment 13 Ernie Petrides 2004-11-25 01:23:21 UTC 
The fix for this problem has also been committed to the RHEL3 E4
patch pool this evening (in kernel version 2.4.21-20.0.1.EL).
Comment 14 Mark J. Cox 2004-12-02 11:35:30 UTC 
http://rhn.redhat.com/errata/RHSA-2004-549.html