Bug 452478 - (CVE-2008-2826) CVE-2008-2826 kernel: sctp: sctp_getsockopt_local_addrs_old() potential overflow
CVE-2008-2826 kernel: sctp: sctp_getsockopt_local_addrs_old() potential overflow
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
reported=20080621,public=20080621,imp...
: Security
Depends On: 452479 452480 452482 452483 453138
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-23 06:46 EDT by Jan Lieskovsky
Modified: 2010-12-23 16:10 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-23 16:10:39 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2008-06-23 06:46:47 EDT
Description of problem:

kernel: sctp: Make sure N * sizeof(union sctp_addr) does not overflow.

As noticed by Gabriel Campana, the kmalloc() length arg
passed in by sctp_getsockopt_local_addrs_old() can overflow
if ->addr_num is large enough.

Therefore, enforce an appropriate limit.

Version-Release number of selected component (if applicable):
All 2.6.* versions of the Linux kernel.

Proposed upstream patch:

http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commit;h=735ce972fbc8a65fb17788debd7bbe7b4383cc62
Comment 4 Jan Lieskovsky 2008-06-30 09:59:25 EDT
Official statement of the Red Hat Security Response Team to CVE-2008-2826:

Gabriel Campana discovered a possible integer overflow in the Linux 
kernel Stream Control Transmission Protocol (SCTP) implementation. In 
the latest upstream (vanilla) kernels, this deficiency could lead to 
privilege escalation. Since earlier kernels, such as those shipped with 
Red Hat Enterprise Linux 2.1, 3, 4 and 5, use a different mechanism for 
processing the relevant data structure, these kernels are not vulnerable 
to the mentioned vulnerability.

Although the bug does not have a security consequence for the current 
Red Hat Enterprise Linux kernels, we plan to fix it in future kernel 
updates.
Comment 11 Vincent Danen 2010-12-23 16:10:39 EST
This was addressed via:

MRG Realtime for RHEL 5 Server (RHSA-2008:0585)

Note You need to log in before you can comment on or make changes to this bug.