This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 632069 - (CVE-2010-3084) CVE-2010-3084 kernel: niu: buffer overflow for ETHTOOL_GRXCLSRLALL
CVE-2010-3084 kernel: niu: buffer overflow for ETHTOOL_GRXCLSRLALL
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
source=lkml,impact=important,reported...
: Security
Depends On: 632070 632071 632072
Blocks:
  Show dependency treegraph
 
Reported: 2010-09-09 01:15 EDT by Eugene Teo (Security Response)
Modified: 2012-07-17 20:32 EDT (History)
14 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-03-28 04:48:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Eugene Teo (Security Response) 2010-09-09 01:15:03 EDT
Description of problem:
niu_get_ethtool_tcam_all() assumes that its output buffer is the right size, and warns before returning if it is not.  However, the output buffer size is under user control and ETHTOOL_GRXCLSRLALL is an unprivileged ethtool command.  Therefore this is at least a local denial-of-service vulnerability.

Change it to check before writing each entry and to return an error if the buffer is already full.

http://www.spinics.net/lists/netdev/msg140133.html
Comment 2 Eugene Teo (Security Response) 2010-09-09 01:25:51 EDT
Statement:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3 and 4, as they do not include support for the Neptune Ethernet driver. It did not affect Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG, as they do not contain the upstream commit 2d96cf8c that introduced this flaw.
Comment 3 John Kacur 2010-09-09 10:04:56 EDT
This is commit ee9c5cfad29c8a13199962614b9b16f1c4137ac9
in git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6.git
Comment 4 Eugene Teo (Security Response) 2010-09-20 04:05:25 EDT
Upstream commit:
http://git.kernel.org/linus/ee9c5cfad29c8a13199962614b9b16f1c4137ac9
Comment 5 errata-xmlrpc 2010-11-10 14:07:44 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0842 https://rhn.redhat.com/errata/RHSA-2010-0842.html
Comment 6 errata-xmlrpc 2010-11-22 14:34:29 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0842 https://rhn.redhat.com/errata/RHSA-2010-0842.html

Note You need to log in before you can comment on or make changes to this bug.