Bug 642470
| Summary: | CVE-2010-2963 kernel: v4l: VIDIOCSMICROCODE arbitrary write [rhel-5.5.z] | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Eugene Teo (Security Response) <eteo> |
| Component: | kernel | Assignee: | Jiri Pirko <jpirko> |
| Status: | CLOSED ERRATA | QA Contact: | Red Hat Kernel QE team <kernel-qe> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 5.5 | CC: | dhoward, jpirko, lwang, mchehab, plyons, rkhan, security-response-team |
| Target Milestone: | rc | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
A vulnerability was discovered in the 32-bit compatibility code for the VIDIOCSMICROCODE IOCTL (Input/Output Control) in the Video4Linux implementation. It does not affect Red Hat Enterprise Linux 5, but as a preventive measure, this update removes the code. Red Hat would like to thank Kees Cook for reporting this vulnerability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-11-09 18:09:40 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 642465 | ||
|
Comment 1
Mauro Carvalho Chehab
2010-10-13 16:55:20 UTC
(In reply to comment #1) > Ok, only Stradis driver actually uses it. I doubt that stradis still work > nowadays, and it is not compiled on RHEL5/RHEL6. Well in that case we may close this as notabug, right Eugene? (In reply to comment #2) > (In reply to comment #1) > > Ok, only Stradis driver actually uses it. I doubt that stradis still work > > nowadays, and it is not compiled on RHEL5/RHEL6. > > Well in that case we may close this as notabug, right Eugene? No, we can't. The v4l2-compat layer is called for all V4L2 drivers. The other drivers will return an error code for a VIDIOCSMICROCODE call, but, as the bug is at compat layer, it will affect any system with a V4L hardware. The effects are limited to machines with some V4L hardware (like a webcam or a TV capture board), so, it affects more workstations and notebooks with RHEL. rhel5/drivers/media/video/compat_ioctl32.c
static inline int microcode32(struct video_code *kp, struct video_code32 __user *up)
{
if(!access_ok(VERIFY_READ, up, sizeof(struct video_code32)) ||
copy_from_user(kp->loadwhat, up->loadwhat, sizeof (up->loadwhat)) ||
get_user(kp->datasize, &up->datasize) ||
copy_from_user(kp->data, up->data, up->datasize))
return -EFAULT;
return 0;
}
$ grep compat_ioctl32 Makefile
obj-$(CONFIG_VIDEO_DEV) += videodev.o v4l2-common.o compat_ioctl32.o
#ifdef CONFIG_VIDEO_V4L1_COMPAT
case VIDIOCSMICROCODE:
err = microcode32(&karg.vc, up);
compatible_arg = 0;
break;
#endif
CONFIG_VIDEO_V4L1_COMPAT=y
Even if no drivers uses it, we should just disable it. in kernel 2.6.18-194.21.1.el5 linux-2.6-v4l-remove-compat-code-for-vidiocsmicrocode.patch An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2010-0839.html
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
A vulnerability was discovered in the 32-bit compatibility code for the VIDIOCSMICROCODE IOCTL (Input/Output Control) in the Video4Linux implementation. It does not affect Red Hat Enterprise Linux 5, but as a preventive measure, this update removes the code. Red Hat would like to thank Kees Cook for reporting this vulnerability.
|