Bug 916075 (CVE-2013-1772)

Summary: CVE-2013-1772 kernel: call_console_drivers() function log prefix stripping DoS
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bhu, dhoward, esammons, fhrbata, gansalmon, iboverma, itamar, jforbes, jkacur, jonathan, jrieden, jwboyer, kernel-maint, kernel-mgr, lgoncalv, lwang, madhu.chinakonda, mcressma, nobody, plougher, rt-maint, rvrbovsk, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20130222,reported=20130222,source=gentoo,cvss2=3.8/AV:L/AC:H/Au:S/C:N/I:N/A:C,rhel-5/kernel=notaffected,rhel-6/kernel=notaffected,mrg-2.3/realtime-kernel=affected,fedora-all/kernel=notaffected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 916079    
Bug Blocks: 916097    

Description Petr Matousek 2013-02-27 03:40:38 EST
Description of the problem:
A buffer overrun flaw was found in kernels from 3.0 to 3.4 when calling
log_prefix() function from call_console_drivers().
In log_prefix(), the access to "p[1]", "p[2]" or
"simple_strtoul(&p[1], &endp, 10)" may cause a buffer overflow as this
function is called from call_console_drivers by passing "&LOG_BUF(cur_index)"
where the index must be masked to do not exceed the buffer's boundary.

A local user able to write to /dev/kmsg could use this flaw to crash the

Note: /dev/kmsg is root writable only (at least on RHEL/Fedora), but it
still might cause issues in restricted root environments.

Comment 1 Petr Matousek 2013-02-27 03:44:43 EST

This issue did not affect the versions of kernel package as shipped with Red Hat Enterprise Linux 5 and 6. Future kernel updates for Red Hat Enterprise MRG 2 may address this flaw.
Comment 3 errata-xmlrpc 2013-03-06 14:26:03 EST
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2013:0566 https://rhn.redhat.com/errata/RHSA-2013-0566.html