Bug 633140 (CVE-2010-3298) - CVE-2010-3298 kernel: drivers/net/usb/hso.c: prevent reading uninitialized memory
Summary: CVE-2010-3298 kernel: drivers/net/usb/hso.c: prevent reading uninitialized me...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-3298
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 633142 633143 633144
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-09-13 03:56 UTC by Eugene Teo (Security Response)
Modified: 2021-10-19 09:14 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-19 09:14:36 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0007 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2011-01-11 19:44:55 UTC

Description Eugene Teo (Security Response) 2010-09-13 03:56:05 UTC
Description of problem:
http://lkml.org/lkml/2010/9/11/167

The TIOCGICOUNT device ioctl allows unprivileged users to read 9 bytes of uninitialized stack memory, because the "reserved" member of the serial_icounter_struct struct declared on the stack in hso_get_count() is not altered or zeroed before being copied back to the user.  This patch takes care of it.

Acknowledgements:

Red Hat would like to thank Dan Rosenberg for reporting this issue.

Comment 3 John Kacur 2010-09-17 12:09:10 UTC
Commit in David Miller's tree is
7011e660938fc44ed86319c18a5954e95a82ab3e

Comment 4 Eugene Teo (Security Response) 2010-11-02 05:06:46 UTC
Statement:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and 5, as they did not support USB Option High Speed Mobile Devices. This was addressed in Red Hat Enterprise Linux Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2010-0771.html.

Comment 5 errata-xmlrpc 2011-01-11 19:46:13 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0007 https://rhn.redhat.com/errata/RHSA-2011-0007.html


Note You need to log in before you can comment on or make changes to this bug.