Bug 642470
Summary: | CVE-2010-2963 kernel: v4l: VIDIOCSMICROCODE arbitrary write [rhel-5.5.z] | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Eugene Teo (Security Response) <eteo> |
Component: | kernel | Assignee: | Jiri Pirko <jpirko> |
Status: | CLOSED ERRATA | QA Contact: | Red Hat Kernel QE team <kernel-qe> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 5.5 | CC: | dhoward, jpirko, lwang, mchehab, plyons, rkhan, security-response-team |
Target Milestone: | rc | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
A vulnerability was discovered in the 32-bit compatibility code for the VIDIOCSMICROCODE IOCTL (Input/Output Control) in the Video4Linux implementation. It does not affect Red Hat Enterprise Linux 5, but as a preventive measure, this update removes the code. Red Hat would like to thank Kees Cook for reporting this vulnerability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2010-11-09 18:09:40 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 642465 |
Comment 1
Mauro Carvalho Chehab
2010-10-13 16:55:20 UTC
(In reply to comment #1) > Ok, only Stradis driver actually uses it. I doubt that stradis still work > nowadays, and it is not compiled on RHEL5/RHEL6. Well in that case we may close this as notabug, right Eugene? (In reply to comment #2) > (In reply to comment #1) > > Ok, only Stradis driver actually uses it. I doubt that stradis still work > > nowadays, and it is not compiled on RHEL5/RHEL6. > > Well in that case we may close this as notabug, right Eugene? No, we can't. The v4l2-compat layer is called for all V4L2 drivers. The other drivers will return an error code for a VIDIOCSMICROCODE call, but, as the bug is at compat layer, it will affect any system with a V4L hardware. The effects are limited to machines with some V4L hardware (like a webcam or a TV capture board), so, it affects more workstations and notebooks with RHEL. rhel5/drivers/media/video/compat_ioctl32.c static inline int microcode32(struct video_code *kp, struct video_code32 __user *up) { if(!access_ok(VERIFY_READ, up, sizeof(struct video_code32)) || copy_from_user(kp->loadwhat, up->loadwhat, sizeof (up->loadwhat)) || get_user(kp->datasize, &up->datasize) || copy_from_user(kp->data, up->data, up->datasize)) return -EFAULT; return 0; } $ grep compat_ioctl32 Makefile obj-$(CONFIG_VIDEO_DEV) += videodev.o v4l2-common.o compat_ioctl32.o #ifdef CONFIG_VIDEO_V4L1_COMPAT case VIDIOCSMICROCODE: err = microcode32(&karg.vc, up); compatible_arg = 0; break; #endif CONFIG_VIDEO_V4L1_COMPAT=y Even if no drivers uses it, we should just disable it. in kernel 2.6.18-194.21.1.el5 linux-2.6-v4l-remove-compat-code-for-vidiocsmicrocode.patch An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2010-0839.html Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: A vulnerability was discovered in the 32-bit compatibility code for the VIDIOCSMICROCODE IOCTL (Input/Output Control) in the Video4Linux implementation. It does not affect Red Hat Enterprise Linux 5, but as a preventive measure, this update removes the code. Red Hat would like to thank Kees Cook for reporting this vulnerability. |