A vulnerability was found in the Linux kernel, a range check issue in drivers/gpu/drm/radeon/atombios.c could cause an off by one (buffer overflow) problem. Reference: https://mirrors.edge.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.34 https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0031c41be5c529f8329e327b63cde92ba1284842 https://github.com/torvalds/linux/commit/0031c41be5c529f8329e327b63cde92ba1284842
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1743600]
This was fixed for Fedora in 2.6.34, and never present in any currently supported version of Fedora.
Some background: This would only affect systems with the Radeon series graphics cards, Nvidia, Intel, and other graphics card vendors that are not affected by this flaw. The "AtomBIOS" is a section of PCI configuration space (has a likeness to ACPI) where the operating system can use the code stored there to issue commands for the AMD video card to configure itself. These commands provide a method for the driver to configure the graphics card without having to know the specific registers and values to write on a per-card basis. But I digress, I think that this CVE is incorrectly assigned it should be disputed. The problem: bool radeon_atom_get_tv_timings(struct radeon_device *rdev, int index, <-- THIS VALUE - INDEX struct drm_display_mode *mode) { <snip> + if (index >= MAX_SUPPORTED_TV_TIMING) <snip> } ^ The fix is to check that the index is not greater than a hardcoded value. So, lets take a look at how that's called, in two places: 1) atombios_encoders.c radeon_atom_mode_fixup line 333 radeon_atom_get_tv_timings(rdev, 0, adjusted_mode); 2) atombios_encoders.c radeon_atom_mode_fixup line 335 radeon_atom_get_tv_timings(rdev, 1, adjusted_mode); Index, the second parameter is -hard coded- which as far as I can see as declared in atombios.h, so I checked that maybe it was user controllable at some time, it was introduced in commit 3f03ced880879 and never changed, so.. maybe MAX_SUPPORTED_TV_TIMING was different at some point ? So lets look for that.. 4193 #define MAX_SUPPORTED_TV_TIMING 2 Which was added by the commit 771fe6b912fca, which is the initial introduction of this patch. This value has never changed. I have written to Mitre to reject this CVE on this grounds, It is my recommendation that Red Hat not fix this flaw as it a misuse of engineering time. References: https://wiki.osdev.org/AMD_Atombios https://www.kernel.org/doc/html/v4.15/gpu/drm-kms.html
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2010-5331
Statement: Red Hat will not be fixing this flaw as it has been analyzed as not affecting any version of Linux.