Bug 767495 (CVE-2011-4604)

Summary: CVE-2011-4604 kernel: bat_socket_read memory corruption
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: agordeev, anton, arozansk, bhu, davej, dhoward, fhrbata, gansalmon, itamar, jkacur, jlieskov, jonathan, jwboyer, kernel-maint, kernel-mgr, lgoncalv, lwang, madhu.chinakonda, plougher, rt-maint, sforsber, tcallawa, vgoyal, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20111210,reported=20111211,source=oss-security,cvss2=2.1/AV:L/AC:L/Au:N/C:N/I:P/A:N,fedora-all/kernel=affected,rhel-5/kernel=notaffected,rhel-6/kernel=notaffected,rhel-4/kernel=notaffected,mrg-2/realtime-kernel=notaffected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-05-04 03:51:58 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 767501    
Bug Blocks: 767483    

Description Eugene Teo (Security Response) 2011-12-14 03:22:05 EST 
Don't write more than the requested number of bytes of an batman-adv icmp packet to the userspace buffer. Otherwise unrelated userspace memory might get overwritten by the kernel.

https://lists.open-mesh.org/pipermail/b.a.t.m.a.n/2011-December/005908.html

Statement:

Not vulnerable. This issue did not affect the Linux kernels as shipped with Red Hat Enterprise Linux 4, 5, 6, and Red Hat Enterprise MRG as they did not include support for the BATMAN (Better Approach To Mobile Ad-hoc Networking) out-of-tree kernel module.

Acknowledgements:

Red Hat would like to thank Paul Kot for reporting this issue.
Comment 1 Eugene Teo (Security Response) 2011-12-14 03:47:21 EST 
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 767501]