Bug 520990 – CVE-2009-3228 kernel: tc: uninitialised kernel memory leak

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 520990 - (CVE-2009-3228) CVE-2009-3228 kernel: tc: uninitialised kernel memory leak

Summary:	CVE-2009-3228 kernel: tc: uninitialised kernel memory leak

Status:	NEW

Aliases:	CVE-2009-3228

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,reported=20090903,pub...
Keywords:	Security

Depends On:	520863 520865 520992 520993 520994 537296
Blocks:
	Show dependency tree / graph

Reported:	2009-09-02 23:31 EDT by Eugene Teo (Security Response)
Modified:	2018-08-28 17:49 EDT (History)
CC List:	10 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2009:1522	normal	SHIPPED_LIVE	Moderate: kernel security and bug fix update	2009-10-22 11:09:25 EDT
Red Hat Product Errata	RHSA-2009:1540	normal	SHIPPED_LIVE	Important: kernel-rt security, bug fix, and enhancement update	2009-11-03 13:21:07 EST
Red Hat Product Errata	RHSA-2009:1548	normal	SHIPPED_LIVE	Important: kernel security and bug fix update	2009-11-03 14:33:33 EST

Groups: None (edit)

Description Eugene Teo (Security Response) 2009-09-02 23:31:27 EDT

Description of problem:
Three bytes of uninitialized kernel memory are currently leaked to user.

Upstream proposed patch:
http://patchwork.ozlabs.org/patch/32830/

CVE request:
http://article.gmane.org/gmane.comp.security.oss.general/2060

Comment 4 Eugene Teo (Security Response) 2009-09-17 00:18:04 EDT

Upstream commits:
http://git.kernel.org/linus/16ebb5e0b36ceadc8186f71d68b0c4fa4b6e781b
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.4.37.y.git;a=commit;h=096ed17f20affc2db0e307658c69b67433992a7a

Comment 5 Jan Lieskovsky 2009-10-20 04:44:42 EDT

MITRE's CVE-2009-3228 record:
-----------------------------

The tc_fill_tclass function in net/sched/sch_api.c in the tc subsystem
in the Linux kernel 2.4.x before 2.4.37.6 and 2.6.x before 2.6.31-rc9
does not initialize certain (1) tcm__pad1 and (2) tcm__pad2 structure
members, which might allow local users to obtain sensitive information
from kernel memory via unspecified vectors.

References:
-----------
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.4.37.y.git;a=commit;h=096ed17f20affc2db0e307658c69b67433992a7a
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=16ebb5e0b36ceadc8186f71d68b0c4fa4b6e781b
http://patchwork.ozlabs.org/patch/32830/
http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.37.6
http://www.kernel.org/pub/linux/kernel/v2.6/testing/v2.6.31/ChangeLog-2.6.31-rc9

Comment 6 errata-xmlrpc 2009-10-22 11:09:29 EDT

This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:1522 https://rhn.redhat.com/errata/RHSA-2009-1522.html

Comment 7 errata-xmlrpc 2009-11-03 13:21:34 EST

This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2009:1540 https://rhn.redhat.com/errata/RHSA-2009-1540.html

Comment 8 errata-xmlrpc 2009-11-03 14:33:51 EST

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1548 https://rhn.redhat.com/errata/RHSA-2009-1548.html

Note You need to log in before you can comment on or make changes to this bug.