Bug 470958 - (CVE-2008-5033) CVE-2008-5033 kernel: security: avoid calling a NULL function pointer in drivers/video/tvaudio.c
CVE-2008-5033 kernel: security: avoid calling a NULL function pointer in driv...
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,source=lkml,reported...
: Security
Depends On: 470959 470960 470961 470962 470963 470964 470965
Blocks: 471880
  Show dependency treegraph
 
Reported: 2008-11-10 23:15 EST by Eugene Teo (Security Response)
Modified: 2008-11-19 01:47 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-19 01:47:03 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed upstream patch (1.24 KB, patch)
2008-11-10 23:28 EST, Eugene Teo (Security Response)
no flags Details | Diff
Fix OOPS at chip_command call when handling VIDIOC_S_CTRL (5.28 KB, patch)
2008-11-14 12:15 EST, Mauro Carvalho Chehab
no flags Details | Diff

  None (edit)
Description Eugene Teo (Security Response) 2008-11-10 23:15:02 EST
From: Arjan van de Ven <arjan@linux.intel.com>

NULL function pointers are very bad security wise. This one got caught by kerneloops.org quite a few times, so it's happening in the field....

Fix is simple, check the function pointer for NULL, like 6 other places in the same function are already doing.
Comment 4 Eugene Teo (Security Response) 2008-11-10 23:28:04 EST
Created attachment 323147 [details]
Proposed upstream patch
Comment 11 Mauro Carvalho Chehab 2008-11-14 12:15:46 EST
Created attachment 323605 [details]
Fix OOPS at chip_command call when handling VIDIOC_S_CTRL

This is the proper patch to fix the bug.

I've already commented about it upstream, at:

http://lkml.org/lkml/2008/11/14/169

I'll be sending also a pull request soon for the tvaudio patch series.
Comment 12 Mauro Carvalho Chehab 2008-11-14 13:15:48 EST
Upstream request sent:

http://lkml.org/lkml/2008/11/14/202

I should be backporting the patches to RHEL kernels soon.
Comment 14 Eugene Teo (Security Response) 2008-11-16 23:05:59 EST
(In reply to comment #11)
> Created an attachment (id=323605) [details]
> Fix OOPS at chip_command call when handling VIDIOC_S_CTRL
> 
> This is the proper patch to fix the bug.
> 
> I've already commented about it upstream, at:
> 
> http://lkml.org/lkml/2008/11/14/169
> 
> I'll be sending also a pull request soon for the tvaudio patch series.

Correct proposed upstream patch:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=01a1a3cc1e3fbe718bd06a2a5d4d1a2d0fb4d7d9
Comment 16 Eugene Teo (Security Response) 2008-11-17 01:13:52 EST
(In reply to comment #14)
> (In reply to comment #11)
> > Created an attachment (id=323605) [details] [details]
> > Fix OOPS at chip_command call when handling VIDIOC_S_CTRL
> > 
> > This is the proper patch to fix the bug.
> > 
> > I've already commented about it upstream, at:
> > 
> > http://lkml.org/lkml/2008/11/14/169
> > 
> > I'll be sending also a pull request soon for the tvaudio patch series.
> 
> Correct proposed upstream patch:
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=01a1a3cc1e3fbe718bd06a2a5d4d1a2d0fb4d7d9

"This bug were supposed to be fixed by 5ba2f67afb02c5302b2898949ed6fc3b3d37dcf1,
where a call to NULL happens.

Not all tvaudio chips allow controlling bass/treble. So, the driver
has a table with a flag to indicate if the chip does support it.

Unfortunately, the handling of this logic were broken for a very long
time (probably since the first module version). Due to that, an OOPS
were generated for devices that don't support bass/treble."

FYI.
Comment 17 Mauro Carvalho Chehab 2008-11-17 07:31:41 EST
The bass/treble breakage were a regression, caused due to this changeset:
    http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=dc3d75da05c3ff2dd6510c32a11deacced49d1a1

The changeset replaced the old V4L1 ioctls VIDIOCGAUDIO and VIDIOCSAUDIO into the V4L2 ones: VIDIOC_QUERYCTRL, VIDIOC_S_CTRL and VIDIOC_G_CTRL, unfortunately using an inverted logic when setting bass level.

So, it were basically replacing KABI for a more modern one.

Since changeset dc3d75da05c3ff2dd6510c32a11deacced49d1a1 weren't applied at RHEL kernels, they aren't vulnerable for CVE-2008-5033.
Comment 22 Eugene Teo (Security Response) 2008-11-19 01:47:03 EST
This bug were due to KABI changes from V4L1 to V4L2 API. They don't affect
RHEL/MRG kernels.

Note You need to log in before you can comment on or make changes to this bug.