Red Hat Bugzilla – Bug 197672
CVE-2006-2935 Possible buffer overflow in DVD handling
Last modified: 2007-11-30 17:07:10 EST
Reported by Marcus Meissner to the Kernel Bugzilla:
The dvd_read_bca() function in drivers/cdrom/cdrom.c shows a potential buffer
The variable buf[4+188] is allocated on the stack, however cgc.cmd and
cgc.buflen are set to 255:
cgc.cmd = cgc.buflen = 0xff;
This can be exploited by a custom made USB Storage device and used for local
privilege escalation (aka plug-in this USB device to get root).
This function has been introduced in 2.2.16 (back in 2000) and as of today it
hasn't changed. Jens Axboe confirmed that this is a typo and it should read:
cgc.cmd = cgc.buflen & 0xff;
It is to mask high bits of the length. It doesn't use the high 8 bits for
transfer length, since we are always < 256 for this case.
Created attachment 132074 [details]
patch to fix a typo in drivers/cdrom/cdrom.c
A fix for this problem has just been committed to the RHEL3 U9
patch pool this evening (in kernel version 2.4.21-47.1.EL).
A fix for this problem has also been committed to the RHEL3 E9
patch pool this evening (in kernel version 2.4.21-47.0.1.EL).
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.