Bug 470958 (CVE-2008-5033)
Summary: | CVE-2008-5033 kernel: security: avoid calling a NULL function pointer in drivers/video/tvaudio.c | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Eugene Teo (Security Response) <eteo> | ||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
Status: | CLOSED NOTABUG | QA Contact: | |||||||
Severity: | high | Docs Contact: | |||||||
Priority: | high | ||||||||
Version: | unspecified | CC: | anton, dhoward, dzickus, jpirko, lgoncalv, lwang, mchehab, vgoyal, vmayatsk | ||||||
Target Milestone: | --- | Keywords: | Security | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2008-11-19 06:47:03 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 470959, 470960, 470961, 470962, 470963, 470964, 470965 | ||||||||
Bug Blocks: | 471880 | ||||||||
Attachments: |
|
Description
Eugene Teo (Security Response)
2008-11-11 04:15:02 UTC
Created attachment 323147 [details]
Proposed upstream patch
Created attachment 323605 [details] Fix OOPS at chip_command call when handling VIDIOC_S_CTRL This is the proper patch to fix the bug. I've already commented about it upstream, at: http://lkml.org/lkml/2008/11/14/169 I'll be sending also a pull request soon for the tvaudio patch series. Upstream request sent: http://lkml.org/lkml/2008/11/14/202 I should be backporting the patches to RHEL kernels soon. (In reply to comment #11) > Created an attachment (id=323605) [details] > Fix OOPS at chip_command call when handling VIDIOC_S_CTRL > > This is the proper patch to fix the bug. > > I've already commented about it upstream, at: > > http://lkml.org/lkml/2008/11/14/169 > > I'll be sending also a pull request soon for the tvaudio patch series. Correct proposed upstream patch: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=01a1a3cc1e3fbe718bd06a2a5d4d1a2d0fb4d7d9 (In reply to comment #14) > (In reply to comment #11) > > Created an attachment (id=323605) [details] [details] > > Fix OOPS at chip_command call when handling VIDIOC_S_CTRL > > > > This is the proper patch to fix the bug. > > > > I've already commented about it upstream, at: > > > > http://lkml.org/lkml/2008/11/14/169 > > > > I'll be sending also a pull request soon for the tvaudio patch series. > > Correct proposed upstream patch: > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=01a1a3cc1e3fbe718bd06a2a5d4d1a2d0fb4d7d9 "This bug were supposed to be fixed by 5ba2f67afb02c5302b2898949ed6fc3b3d37dcf1, where a call to NULL happens. Not all tvaudio chips allow controlling bass/treble. So, the driver has a table with a flag to indicate if the chip does support it. Unfortunately, the handling of this logic were broken for a very long time (probably since the first module version). Due to that, an OOPS were generated for devices that don't support bass/treble." FYI. The bass/treble breakage were a regression, caused due to this changeset: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=dc3d75da05c3ff2dd6510c32a11deacced49d1a1 The changeset replaced the old V4L1 ioctls VIDIOCGAUDIO and VIDIOCSAUDIO into the V4L2 ones: VIDIOC_QUERYCTRL, VIDIOC_S_CTRL and VIDIOC_G_CTRL, unfortunately using an inverted logic when setting bass level. So, it were basically replacing KABI for a more modern one. Since changeset dc3d75da05c3ff2dd6510c32a11deacced49d1a1 weren't applied at RHEL kernels, they aren't vulnerable for CVE-2008-5033. This bug were due to KABI changes from V4L1 to V4L2 API. They don't affect RHEL/MRG kernels. |