Bug 608950 (CVE-2010-2478)

Summary: CVE-2010-2478 kernel: ethtool: kernel buffer overflow in ETHTOOL_GRXCLSRLALL
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: arozansk, bhu, davej, jkacur, kmcmartin, lgoncalv, lwang, pmatouse, rcvalle, tcallawa, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-28 08:43:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 608952, 608953    
Bug Blocks:    

Description Eugene Teo (Security Response) 2010-06-29 02:05:32 UTC
Description of problem:
On a 32-bit machine, info.rule_cnt >= 0x40000000 leads to integer overflow and the buffer may be smaller than needed.  Since ETHTOOL_GRXCLSRLALL is unprivileged, this can presumably be used for at least denial of service.


Comment 2 Eugene Teo (Security Response) 2010-06-29 02:12:02 UTC
ethtool_get_rxnfc() was introduced in v2.6.27-rc1 via:
netdev: Add support for rx flow hash configuration, using ethtool.
http://git.kernel.org/linus/0853ad66 v2.6.27-rc1
Also see, ethtool: Add RX pkt classification interface rxhash->rxnfc

Only the niu (Neptune ethernet) driver uses this ioctl.

Comment 3 Eugene Teo (Security Response) 2010-06-29 02:14:30 UTC

This issue did not affect the versions of Linux kernel as shipped with Red Hat
Enterprise Linux 3 and 4, as they do not include support for the Neptune
Ethernet driver. It did not affect Red Hat Enterprise Linux 5 and Red Hat
Enterprise MRG, as they do not contain the upstream commit 0853ad66 that
introduced this flaw.

Comment 6 Fedora Update System 2010-07-08 18:22:39 UTC
kernel- has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2010-07-13 07:48:28 UTC
kernel- has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Chuck Ebbert 2010-08-02 21:11:24 UTC
Fixed upstream in 2.6.35,, and

Comment 9 John Kacur 2010-08-26 18:39:40 UTC
mrg-1.3 [bug #608952]
mrg-1.3 is based on, so we already have this fix.