Bug 392101 (CVE-2007-6063)

Summary: CVE-2007-6063 Linux Kernel isdn_net_setcfg buffer overflow
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: low    
Version: unspecifiedCC: anton, davej, dhoward, jbaron, kernel-maint, kreilly, kseifried, lwang, peterm
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-09-29 21:27:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 392111, 392121, 392131, 392151, 392161, 456360, 456361    
Bug Blocks:    
Attachments:
Description Flags
Proposed backported patch for RHEL-3.9
none
Proposed backported patch for RHEL-2.1 none

Description Jan Lieskovsky 2007-11-20 12:50:18 UTC 
Description of problem:

The Linux kernel is prone to an buffer overflow vulnerability. This
issue is due to a design error in the 'isdn_net_setcfg()' function.
There is a buffer overflow vulnerability in function isdn_net_setcfg().

At line 1413, in drivers/isdn/i4l/isdn_common.c the 'cfg' is read from
user-space. so the 'cfg' is user-controlled. At line 1415, function
isdn_net_setcfg() is invoked. The '&cfg' is passed to isdn_net_setcfg()
as an argument.

At line 2805 in drivers/isdn/il4/isdn_net.c, function strcpy() is invoked. The
size of argument lp->msn is 32 and cfg->eaz is 256. Because the data of '*cfg'
is user-controlled (so cfg->eaz is user-controlled), it's possible to overrun 
destination string lp->msn by string cfg->eaz. When the length of string
'cfg->eaz' is greater than 32, a buffer overflow will occur.

This issue is public via:

http://bugzilla.kernel.org/show_bug.cgi?id=9416
Comment 9 Eugene Teo (Security Response) 2008-07-23 04:17:59 UTC 
Proposed upstream patch:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=0f13864e5b24d9cbe18d125d41bfa4b726a82e40
Comment 11 Eugene Teo (Security Response) 2008-07-23 05:22:09 UTC 
Created attachment 312419 [details]
Proposed backported patch for RHEL-3.9
Comment 12 Eugene Teo (Security Response) 2008-07-23 05:46:18 UTC 
Created attachment 312420 [details]
Proposed backported patch for RHEL-2.1