Bug 608950 (CVE-2010-2478)

Summary: CVE-2010-2478 kernel: ethtool: kernel buffer overflow in ETHTOOL_GRXCLSRLALL
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: arozansk, bhu, davej, jkacur, kmcmartin, lgoncalv, lwang, pmatouse, rcvalle, tcallawa, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-28 08:43:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 608952, 608953    
Bug Blocks:    

Description Eugene Teo (Security Response) 2010-06-29 02:05:32 UTC 
Description of problem:
On a 32-bit machine, info.rule_cnt >= 0x40000000 leads to integer overflow and the buffer may be smaller than needed.  Since ETHTOOL_GRXCLSRLALL is unprivileged, this can presumably be used for at least denial of service.

Reference:
http://thread.gmane.org/gmane.linux.network/164869
Comment 2 Eugene Teo (Security Response) 2010-06-29 02:12:02 UTC 
ethtool_get_rxnfc() was introduced in v2.6.27-rc1 via:
netdev: Add support for rx flow hash configuration, using ethtool.
http://git.kernel.org/linus/0853ad66 v2.6.27-rc1
Also see, ethtool: Add RX pkt classification interface rxhash->rxnfc
http://git.kernel.org/linus/59089d8d

Only the niu (Neptune ethernet) driver uses this ioctl.
Comment 3 Eugene Teo (Security Response) 2010-06-29 02:14:30 UTC 
Statement:

This issue did not affect the versions of Linux kernel as shipped with Red Hat
Enterprise Linux 3 and 4, as they do not include support for the Neptune
Ethernet driver. It did not affect Red Hat Enterprise Linux 5 and Red Hat
Enterprise MRG, as they do not contain the upstream commit 0853ad66 that
introduced this flaw.
Comment 5 Chuck Ebbert 2010-07-08 10:56:00 UTC 
Patch is now upstream:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=db048b69037e7fa6a7d9e95a1271a50dc08ae233
Comment 6 Fedora Update System 2010-07-08 18:22:39 UTC 
kernel-2.6.33.6-147.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2010-07-13 07:48:28 UTC 
kernel-2.6.32.16-141.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Chuck Ebbert 2010-08-02 21:11:24 UTC 
Fixed upstream in 2.6.35, 2.6.34.2, 2.6.33.7 and 2.6.32.17
Comment 9 John Kacur 2010-08-26 18:39:40 UTC 
mrg-1.3 [bug #608952]
mrg-1.3 is based on 2.6.33.7, so we already have this fix.