Bug 633158

Summary:	kernel: drivers/net/tulip/de4x5.c: reading uninitialized stack memory
Product:	[Other] Security Response	Reporter:	Eugene Teo (Security Response) <eteo>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED NOTABUG	QA Contact:
Severity:	low	Docs Contact:
Priority:	low
Version:	unspecified	CC:	arozansk, bhu, cebbert, davej, dhoward, fhrbata, jkacur, jolsa, jpirko, kmcmartin, lgoncalv, lwang, plyons, pmatouse, vgoyal, williams
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2010-11-02 04:55:16 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	633159, 633160, 633161, 633162, 633163, 633164, 633165, 633166
Bug Blocks:

Description Eugene Teo (Security Response) 2010-09-13 04:10:09 UTC

Description of problem:
http://lkml.org/lkml/2010/9/11/169
The DE4X5_GET_REG device ioctl allows unprivileged users to read 32 bytes of uninitialized stack memory, because it copies the uninitialized "addr" member instead of the intended "lval" member.

Comment 2 Eugene Teo (Security Response) 2010-09-16 02:37:26 UTC

From Jeff Mahoney, 'tmp' is a union, not a struct. Writes to lval are the same as writes to addr. The length is correctly determined so that only initialized memory is used.

static int
de4x5_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
{   
    struct de4x5_private *lp = netdev_priv(dev);
    struct de4x5_ioctl *ioc = (struct de4x5_ioctl *) &rq->ifr_ifru;
    u_long iobase = dev->base_addr;
    int i, j, status = 0;
    s32 omr;
    union {
        u8  addr[144];
        u16 sval[72];
        u32 lval[36];
    } tmp;
[...]

Comment 3 Eugene Teo (Security Response) 2010-09-20 08:06:21 UTC

Rejecting CVE-2010-3295.