Bug 491787 (CVE-2009-1046)

Summary: CVE-2009-1046 kernel: utf8 selection memory corruption
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bhu, jlieskov, lgoncalv, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-19 09:06:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 491788    
Bug Blocks:    
Attachments:
Description Flags
Upstream patch none

Description Eugene Teo (Security Response) 2009-03-24 03:02:42 UTC 
Fix an off-by-two memory error in console selection.

The loop below goes from sel_start to sel_end (inclusive), so it writes one more character.  This one more character was added to the allocated size (+1), but it was not multiplied by an UTF-8 multiplier.

This patch fixes a memory corruption when UTF-8 console is used and the user selects a few characters, all of them 3-byte in UTF-8 (for example a frame line).

When memory redzones are enabled, a redzone corruption is reported. When they are not enabled, trashing of random memory occurs.
Comment 1 Eugene Teo (Security Response) 2009-03-24 03:06:50 UTC 
Created attachment 336418 [details]
Upstream patch

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=878b8619f711280fd05845e21956434b5e588cc4
Comment 3 Eugene Teo (Security Response) 2009-03-24 04:04:32 UTC 
CVSS2 score of medium, 4.7 (AV:L/AC:M/Au:N/C:N/I:N/A:C)

The attacker needs to be at console to exploit this.
Comment 4 Jan Lieskovsky 2009-03-26 10:15:45 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1046 to
this vulnerability:

The console selection feature in the Linux kernel 2.6.28 before
2.6.28.4, 2.6.25, and possibly earlier versions, when the UTF-8
console is used, allows physically proximate attackers to cause a
denial of service (memory corruption) by selecting a small number of
3-byte UTF-8 characters, which triggers an "an off-by-two memory
error." NOTE: it is not clear whether this issue crosses privilege
boundaries.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1046
http://lists.openwall.net/linux-kernel/2009/01/30/333
http://lists.openwall.net/linux-kernel/2009/02/02/364
http://www.openwall.com/lists/oss-security/2009/02/12/10
http://www.openwall.com/lists/oss-security/2009/02/12/11
http://www.openwall.com/lists/oss-security/2009/02/12/9
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.28.4
http://www.securityfocus.com/bid/33672
Comment 5 errata-xmlrpc 2009-04-29 09:28:39 UTC 
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2009:0451 https://rhn.redhat.com/errata/RHSA-2009-0451.html