Bug 171716 - 20050901 ipmi poweroff: fix chassis control
Summary: 20050901 ipmi poweroff: fix chassis control
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel
Version: 4.0
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
: ---
Assignee: Peter Martuccelli
QA Contact: Brian Brock
URL:
Whiteboard: public=20050901,impact=important
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-10-25 15:45 UTC by Mark J. Cox
Modified: 2007-11-30 22:07 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-03-20 21:01:34 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Mark J. Cox 2005-10-25 15:45:22 UTC
Al Viro found that the IPMI power control function proc_write_chassctrl was
badly written, it directly used userspace pointers, it assumed that strings were
NULL
terminated, and it used the evil sscanf function.  This converts over to
using the sysctl interface for this data and changes the semantics to be a
little more logical.

This looks like it has a security implication.

This code was introduced to RHEL4 in Update2 in the patch 
linux-2.6.9-openipmi-update.patch

Patch upstream was:
http://linux.bkbits.net:8080/linux-2.6/cset@431f7eed11l7ZEzNoZLGB5k2Y4Ce2A
but note that other fixes were also made around the same time;
http://linux.bkbits.net:8080/linux-2.6/related/drivers/char/ipmi/ipmi_poweroff.c

Comment 5 Peter Martuccelli 2006-12-12 14:57:43 UTC
The upstream code changed the /proc interface so we cannot accept the patch in
RHEL.  We would end up breaking the API used by existing applications.

Comment 6 Marcel Holtmann 2006-12-12 15:13:23 UTC
The question is if we can come up with a patch that addresses the issues without
changing the /proc interface.


Comment 7 Peter Martuccelli 2006-12-13 19:22:52 UTC
Outside of the two lines mentioned in the first comment, the whole patch is
about changing the /proc interface to move the ipmi devices to /proc/sys using
the sysctl interface.  We cannot come up with an alternative patch to resolve
this issue.  This is secondary, the string is null terminated, and follows the
correct default code path to power down the system based on the sscanf usage. 
There is no security issue here to resolve, and no bug(s) to fix.  As part of
IPMI maintenance I would update the poweroff module to keep in sync with
upstream, but as I mentioned it would break the user space API.

Let me know if there is a CVE for this BZ entry.

Comment 8 Marcel Holtmann 2006-12-13 22:48:49 UTC
As to my knowledge, we never assigned a CVE name for this issue, but this means
basically nothing. However thanks for the additional explanation and feel free
to close this one as NOTABUG now.


Comment 9 Marcel Holtmann 2007-03-20 21:01:34 UTC
Closing this one as WONTFIX now, since it seems it is impossible to fix this
issue without breaking the user space API.



Note You need to log in before you can comment on or make changes to this bug.