Bug 608950 (CVE-2010-2478) - CVE-2010-2478 kernel: ethtool: kernel buffer overflow in ETHTOOL_GRXCLSRLALL
Summary: CVE-2010-2478 kernel: ethtool: kernel buffer overflow in ETHTOOL_GRXCLSRLALL
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-2478
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 608952 608953
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-06-29 02:05 UTC by Eugene Teo (Security Response)
Modified: 2021-02-24 22:53 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-03-28 08:43:14 UTC
Embargoed:


Attachments (Terms of Use)

Description Eugene Teo (Security Response) 2010-06-29 02:05:32 UTC
Description of problem:
On a 32-bit machine, info.rule_cnt >= 0x40000000 leads to integer overflow and the buffer may be smaller than needed.  Since ETHTOOL_GRXCLSRLALL is unprivileged, this can presumably be used for at least denial of service.

Reference:
http://thread.gmane.org/gmane.linux.network/164869

Comment 2 Eugene Teo (Security Response) 2010-06-29 02:12:02 UTC
ethtool_get_rxnfc() was introduced in v2.6.27-rc1 via:
netdev: Add support for rx flow hash configuration, using ethtool.
http://git.kernel.org/linus/0853ad66 v2.6.27-rc1
Also see, ethtool: Add RX pkt classification interface rxhash->rxnfc
http://git.kernel.org/linus/59089d8d

Only the niu (Neptune ethernet) driver uses this ioctl.

Comment 3 Eugene Teo (Security Response) 2010-06-29 02:14:30 UTC
Statement:

This issue did not affect the versions of Linux kernel as shipped with Red Hat
Enterprise Linux 3 and 4, as they do not include support for the Neptune
Ethernet driver. It did not affect Red Hat Enterprise Linux 5 and Red Hat
Enterprise MRG, as they do not contain the upstream commit 0853ad66 that
introduced this flaw.

Comment 6 Fedora Update System 2010-07-08 18:22:39 UTC
kernel-2.6.33.6-147.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2010-07-13 07:48:28 UTC
kernel-2.6.32.16-141.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Chuck Ebbert 2010-08-02 21:11:24 UTC
Fixed upstream in 2.6.35, 2.6.34.2, 2.6.33.7 and 2.6.32.17

Comment 9 John Kacur 2010-08-26 18:39:40 UTC
mrg-1.3 [bug #608952]
mrg-1.3 is based on 2.6.33.7, so we already have this fix.


Note You need to log in before you can comment on or make changes to this bug.