Bug 772894 (CVE-2012-0044)

Summary: CVE-2012-0044 kernel: drm: integer overflow in drm_mode_dirtyfb_ioctl()
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: agordeev, anton, arozansk, bhu, davej, dhoward, fhrbata, gansalmon, itamar, jforbes, jkacur, jonathan, jwboyer, kernel-maint, kernel-mgr, lgoncalv, lwang, madhu.chinakonda, mjc, plougher, pmatouse, rt-maint, sforsber, thomas.koppe, vgoyal, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20111123,reported=20120110,source=lkml,cvss2=6.9/AV:L/AC:M/Au:N/C:C/I:C/A:C,rhel-4/kernel=notaffected,rhel-5/kernel=notaffected,rhel-6/kernel=affected,rhel-6.1.z/kernel=affected,mrg-2/realtime-kernel=affected,fedora-all/kernel=affected,mrg-2.0/realtime-kernel=affected,fedora-15/kernel=affected,cwe=CWE-190[auto]
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-24 03:39:56 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 773249, 773250, 773251, 773252, 782683, 827514    
Bug Blocks: 772889    

Description Eugene Teo (Security Response) 2012-01-10 04:18:12 EST
There is a potential integer overflow in drm_mode_dirtyfb_ioctl() if userspace passes in a large num_clips.  The call to kmalloc would allocate a small buffer, and the call to fb->funcs->dirty may result in a memory corruption.

Reported-by: Haogang Chen <haogangchen@gmail.com>
Signed-off-by: Xi Wang <xi.wang@gmail.com>

Upstream commit:


Red Hat would like to thank Chen Haogang for reporting this issue.
Comment 3 Kurt Seifried 2012-01-11 19:13:50 EST
Added CVE-2012-0044 as per
Comment 4 Petr Matousek 2012-01-12 09:57:01 EST

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 4 and 5 as they did not backport commit 884840aa that introduced this issue.
Comment 5 Eugene Teo (Security Response) 2012-01-18 02:09:59 EST
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 782683]
Comment 6 Eugene Teo (Security Response) 2012-02-17 01:57:14 EST
To exploit this, the user has to log in under X or otherwise has r/w access to
the dri path (group "video").
Comment 7 errata-xmlrpc 2012-02-23 15:24:07 EST
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2012:0333 https://rhn.redhat.com/errata/RHSA-2012-0333.html
Comment 10 errata-xmlrpc 2012-06-18 09:33:31 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0743 https://rhn.redhat.com/errata/RHSA-2012-0743.html
Comment 11 Thomas Lang 2012-06-22 08:18:09 EDT
Is it possible to fix this bug without the new kernel from RedHat?
Comment 12 Petr Matousek 2012-06-25 02:52:11 EDT
(In reply to comment #11)
> Is it possible to fix this bug without the new kernel from RedHat?

Sure. You can use upstream kernel that has this problem fixed (includes a5cd335165e31db9dbab636fd29895d41da55dd2 commit). You can even use recent Fedora kernels, they include the fix now as well.
Comment 13 errata-xmlrpc 2012-06-26 14:41:34 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.1 EUS - Server Only

Via RHSA-2012:1042 https://rhn.redhat.com/errata/RHSA-2012-1042.html