Bug 1743598 (CVE-2010-5331)
| Summary: | CVE-2010-5331 kernel: range check issue in drivers/gpu/drm/radeon/atombios.c leads to buffer overflow | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | acaringi, airlied, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jlelli, john.j5live, jonathan, josef, jross, jshortt, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, masami256, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, plougher, rt-maint, rvrbovsk, steved, williams, wmealing, yozone |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A vulnerability was found in the Linux kernel where a range check issue in drivers/gpu/drm/radeon/atombios.c could cause an off by one buffer overflow problem. It has been determined that this flaw is cannot be influenced by an attacker.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-02-20 08:09:34 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1743600 | ||
| Bug Blocks: | 1743602 | ||
|
Description
Dhananjay Arunesh
2019-08-20 09:48:09 UTC
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1743600] This was fixed for Fedora in 2.6.34, and never present in any currently supported version of Fedora. Some background:
This would only affect systems with the Radeon series graphics cards, Nvidia, Intel, and other graphics card vendors that are not affected by this flaw. The "AtomBIOS" is a section of PCI configuration space (has a likeness to ACPI) where the operating system can use the code stored there to issue commands for the AMD video card to configure itself. These commands provide a method for the driver to configure the graphics card without having to know the specific registers and values to write on a per-card basis.
But I digress, I think that this CVE is incorrectly assigned it should be disputed.
The problem:
bool radeon_atom_get_tv_timings(struct radeon_device *rdev, int index, <-- THIS VALUE - INDEX
struct drm_display_mode *mode)
{
<snip>
+ if (index >= MAX_SUPPORTED_TV_TIMING)
<snip>
}
^ The fix is to check that the index is not greater than a hardcoded value.
So, lets take a look at how that's called, in two places:
1) atombios_encoders.c radeon_atom_mode_fixup line 333 radeon_atom_get_tv_timings(rdev, 0, adjusted_mode);
2) atombios_encoders.c radeon_atom_mode_fixup line 335 radeon_atom_get_tv_timings(rdev, 1, adjusted_mode);
Index, the second parameter is -hard coded- which as far as I can see as declared in atombios.h, so I checked that maybe it was user controllable at some time, it was introduced in commit 3f03ced880879 and never changed, so.. maybe MAX_SUPPORTED_TV_TIMING was different at some point ?
So lets look for that..
4193 #define MAX_SUPPORTED_TV_TIMING 2
Which was added by the commit 771fe6b912fca, which is the initial introduction of this patch. This value has never changed.
I have written to Mitre to reject this CVE on this grounds, It is my recommendation that Red Hat not fix this flaw as it a misuse of engineering time.
References:
https://wiki.osdev.org/AMD_Atombios
https://www.kernel.org/doc/html/v4.15/gpu/drm-kms.html
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2010-5331 Statement: Red Hat will not be fixing this flaw as it has been analyzed as not affecting any version of Linux. |