Bug 477171 (CVE-2008-5744)

Summary: CVE-2008-5744 zaptel: Array index error in tor2 zaptel driver (incomplete fix for CVE-2008-5396)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: eteo, jeff
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://bugs.digium.com/view.php?id=13954#96700
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-01-20 18:45:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Lieskovsky 2008-12-19 13:50:41 UTC 
Eugene Teo discovered the latest upstream patch

http://bugs.digium.com/file_download.php?file_id=20796&type=bug

for zaptel tor2 driver and for CVE-2008-5396 was incomplete.

+	if ((lc->sync < 0) || (lc->sync >= MAX_TOR_CARDS)) {
+		printk(KERN_WARNING "%s %d: invalid span timing value %d.\n",
+				THIS_MODULE->name, span->spanno, lc->sync);
+		return -EINVAL;
+	}

We added check, so the lc->sync could be in the range only of 0-63.

But then later in code, the tor2 driver contains this part:

    216         /* if a sync src, put it in the proper place */
    217         if (lc->sync) {
    218                 p->tor->syncs[lc->sync - 1] = span->spanno;
    219                 p->tor->psyncs[lc->sync - 1] = p->span + 1;
    220         }

But p->tor->syncs/psyncs is defined as array, that could contain only
four items:

     79 struct tor2 {
     80         /* This structure exists one per card */
     81         struct pci_dev *pci;            /* Pointer to PCI device */
     82         int num;                        /* Which card we are */
     83         int syncsrc;                    /* active sync source */
     84         int syncs[SPANS_PER_CARD];      /* sync sources */
     85         int psyncs[SPANS_PER_CARD];     /* span-relative sync sources */

where 'SPANS_PER_CARD' is defined as:
zaptel-1.4.9/kernel/tor2.c:#define SPANS_PER_CARD  4

so if the lc->sync would be higher than 5 (lc->sync -1) index of this
array would overflow.

References:
http://bugs.digium.com/view.php?id=13954#96700
http://bugs.digium.com/view.php?id=13954
http://www.openwall.com/lists/oss-security/2008/12/19/2

Upstream patch: 
http://svn.digium.com/view/dahdi?view=rev&revision=5590
Comment 1 Jan Lieskovsky 2008-12-19 13:51:23 UTC 
This issue affects all versions of the zaptel package, as shipped
with Fedora releases of 8, 9 and 10.

This issue affects the version of the zaptel package, as shipped
with Fedora Extra Packages for Enterprise Linux 5 (EPEL 5) project.

Please update the packages.
Comment 2 Tomas Hoger 2009-01-20 18:30:49 UTC 
The original issue - CVE-2008-5396 - does not seem to have been addressed in Fedora in any way.  If the corrected patch is used (assuming it's needed at all, see bug #475446#c6), there's no need to care about this CVE too much.
Comment 3 Tomas Hoger 2009-01-20 18:45:45 UTC 
Kernel drivers not shipped in Fedora:
  https://bugzilla.redhat.com/show_bug.cgi?id=475446#c6

Closing.