Bug 470958 (CVE-2008-5033)
| Summary: | CVE-2008-5033 kernel: security: avoid calling a NULL function pointer in drivers/video/tvaudio.c | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Eugene Teo (Security Response) <eteo> | ||||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
| Status: | CLOSED NOTABUG | QA Contact: | |||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | high | ||||||||
| Version: | unspecified | CC: | anton, dhoward, dzickus, jpirko, lgoncalv, lwang, mchehab, vgoyal, vmayatsk | ||||||
| Target Milestone: | --- | Keywords: | Security | ||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2008-11-19 06:47:03 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | 470959, 470960, 470961, 470962, 470963, 470964, 470965 | ||||||||
| Bug Blocks: | 471880 | ||||||||
| Attachments: |
|
||||||||
|
Description
Eugene Teo (Security Response)
2008-11-11 04:15:02 UTC
Created attachment 323147 [details]
Proposed upstream patch
Created attachment 323605 [details] Fix OOPS at chip_command call when handling VIDIOC_S_CTRL This is the proper patch to fix the bug. I've already commented about it upstream, at: http://lkml.org/lkml/2008/11/14/169 I'll be sending also a pull request soon for the tvaudio patch series. Upstream request sent: http://lkml.org/lkml/2008/11/14/202 I should be backporting the patches to RHEL kernels soon. (In reply to comment #11) > Created an attachment (id=323605) [details] > Fix OOPS at chip_command call when handling VIDIOC_S_CTRL > > This is the proper patch to fix the bug. > > I've already commented about it upstream, at: > > http://lkml.org/lkml/2008/11/14/169 > > I'll be sending also a pull request soon for the tvaudio patch series. Correct proposed upstream patch: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=01a1a3cc1e3fbe718bd06a2a5d4d1a2d0fb4d7d9 (In reply to comment #14) > (In reply to comment #11) > > Created an attachment (id=323605) [details] [details] > > Fix OOPS at chip_command call when handling VIDIOC_S_CTRL > > > > This is the proper patch to fix the bug. > > > > I've already commented about it upstream, at: > > > > http://lkml.org/lkml/2008/11/14/169 > > > > I'll be sending also a pull request soon for the tvaudio patch series. > > Correct proposed upstream patch: > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=01a1a3cc1e3fbe718bd06a2a5d4d1a2d0fb4d7d9 "This bug were supposed to be fixed by 5ba2f67afb02c5302b2898949ed6fc3b3d37dcf1, where a call to NULL happens. Not all tvaudio chips allow controlling bass/treble. So, the driver has a table with a flag to indicate if the chip does support it. Unfortunately, the handling of this logic were broken for a very long time (probably since the first module version). Due to that, an OOPS were generated for devices that don't support bass/treble." FYI. The bass/treble breakage were a regression, caused due to this changeset:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=dc3d75da05c3ff2dd6510c32a11deacced49d1a1
The changeset replaced the old V4L1 ioctls VIDIOCGAUDIO and VIDIOCSAUDIO into the V4L2 ones: VIDIOC_QUERYCTRL, VIDIOC_S_CTRL and VIDIOC_G_CTRL, unfortunately using an inverted logic when setting bass level.
So, it were basically replacing KABI for a more modern one.
Since changeset dc3d75da05c3ff2dd6510c32a11deacced49d1a1 weren't applied at RHEL kernels, they aren't vulnerable for CVE-2008-5033.
This bug were due to KABI changes from V4L1 to V4L2 API. They don't affect RHEL/MRG kernels. |