Bug 767495 (CVE-2011-4604)

Summary: CVE-2011-4604 kernel: bat_socket_read memory corruption
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: agordeev, anton, arozansk, bhu, davej, dhoward, fhrbata, gansalmon, itamar, jkacur, jlieskov, jonathan, jwboyer, kernel-maint, kernel-mgr, lgoncalv, lwang, madhu.chinakonda, plougher, rt-maint, sforsber, tcallawa, vgoyal, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-05-04 07:51:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 767501    
Bug Blocks: 767483    

Description Eugene Teo (Security Response) 2011-12-14 08:22:05 UTC
Don't write more than the requested number of bytes of an batman-adv icmp packet to the userspace buffer. Otherwise unrelated userspace memory might get overwritten by the kernel.

https://lists.open-mesh.org/pipermail/b.a.t.m.a.n/2011-December/005908.html

Statement:

Not vulnerable. This issue did not affect the Linux kernels as shipped with Red Hat Enterprise Linux 4, 5, 6, and Red Hat Enterprise MRG as they did not include support for the BATMAN (Better Approach To Mobile Ad-hoc Networking) out-of-tree kernel module.

Acknowledgements:

Red Hat would like to thank Paul Kot for reporting this issue.

Comment 1 Eugene Teo (Security Response) 2011-12-14 08:47:21 UTC
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 767501]