Bug 477171 - (CVE-2008-5744) CVE-2008-5744 zaptel: Array index error in tor2 zaptel driver (incomplete fix for CVE-2008-5396)
CVE-2008-5744 zaptel: Array index error in tor2 zaptel driver (incomplete fix...
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://bugs.digium.com/view.php?id=13...
reported=20081219,public=20081219,imp...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-12-19 08:50 EST by Jan Lieskovsky
Modified: 2009-01-20 13:45 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-20 13:45:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2008-12-19 08:50:41 EST
Eugene Teo discovered the latest upstream patch

http://bugs.digium.com/file_download.php?file_id=20796&type=bug

for zaptel tor2 driver and for CVE-2008-5396 was incomplete.

+	if ((lc->sync < 0) || (lc->sync >= MAX_TOR_CARDS)) {
+		printk(KERN_WARNING "%s %d: invalid span timing value %d.\n",
+				THIS_MODULE->name, span->spanno, lc->sync);
+		return -EINVAL;
+	}

We added check, so the lc->sync could be in the range only of 0-63.

But then later in code, the tor2 driver contains this part:

    216         /* if a sync src, put it in the proper place */
    217         if (lc->sync) {
    218                 p->tor->syncs[lc->sync - 1] = span->spanno;
    219                 p->tor->psyncs[lc->sync - 1] = p->span + 1;
    220         }

But p->tor->syncs/psyncs is defined as array, that could contain only
four items:

     79 struct tor2 {
     80         /* This structure exists one per card */
     81         struct pci_dev *pci;            /* Pointer to PCI device */
     82         int num;                        /* Which card we are */
     83         int syncsrc;                    /* active sync source */
     84         int syncs[SPANS_PER_CARD];      /* sync sources */
     85         int psyncs[SPANS_PER_CARD];     /* span-relative sync sources */

where 'SPANS_PER_CARD' is defined as:
zaptel-1.4.9/kernel/tor2.c:#define SPANS_PER_CARD  4

so if the lc->sync would be higher than 5 (lc->sync -1) index of this
array would overflow.

References:
http://bugs.digium.com/view.php?id=13954#96700
http://bugs.digium.com/view.php?id=13954
http://www.openwall.com/lists/oss-security/2008/12/19/2

Upstream patch: 
http://svn.digium.com/view/dahdi?view=rev&revision=5590
Comment 1 Jan Lieskovsky 2008-12-19 08:51:23 EST
This issue affects all versions of the zaptel package, as shipped
with Fedora releases of 8, 9 and 10.

This issue affects the version of the zaptel package, as shipped
with Fedora Extra Packages for Enterprise Linux 5 (EPEL 5) project.

Please update the packages.
Comment 2 Tomas Hoger 2009-01-20 13:30:49 EST
The original issue - CVE-2008-5396 - does not seem to have been addressed in Fedora in any way.  If the corrected patch is used (assuming it's needed at all, see bug #475446#c6), there's no need to care about this CVE too much.
Comment 3 Tomas Hoger 2009-01-20 13:45:45 EST
Kernel drivers not shipped in Fedora:
  https://bugzilla.redhat.com/show_bug.cgi?id=475446#c6

Closing.

Note You need to log in before you can comment on or make changes to this bug.