Bug 688898 (CVE-2011-1169)

Summary: CVE-2011-1169 kernel: check adapter index in hpi_ioctl
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: arozansk, dhoward, kernel-mgr, peterm
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Petr Matousek 2011-03-18 12:45:29 UTC
Description of the problem:
The user-supplied index into the adapters array needs to be checked, or
an out-of-bounds kernel pointer could be accessed and used, leading to
potentially exploitable memory corruption.

Reference:
http://seclists.org/oss-sec/2011/q1/540

Upstream commit:
http://git.kernel.org/?p=linux/kernel/git/tiwai/sound-2.6.git;a=commit;h=4a122c10fbfe9020df469f0f669da129c5757671

Acknowledgements:                                                                                                                                                                            
                                                                                                                                                                                                     
Red Hat would like to thank Dan Rosenberg for reporting this issue.

Comment 1 Petr Matousek 2011-03-18 12:48:07 UTC
Statement:

The Linux kernel as shipped with Red Hat Enterprise Linux 4, 5, 6 and
Red Hat Enterprise MRG are not affected as they did not backport upstream
commit 719f82d3 that introduced this issue.