Bug 642470 – CVE-2010-2963 kernel: v4l: VIDIOCSMICROCODE arbitrary write [rhel-5.5.z]

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 642470 - CVE-2010-2963 kernel: v4l: VIDIOCSMICROCODE arbitrary write [rhel-5.5.z]

Summary:	CVE-2010-2963 kernel: v4l: VIDIOCSMICROCODE arbitrary write [rhel-5.5.z]

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	kernel (Show other bugs)
Sub Component:
Version:	5.5
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	rc
Target Release:	---
Assigned To:	Jiri Pirko
QA Contact:	Red Hat Kernel QE team
Docs Contact:

URL:
Whiteboard:
Keywords:	Security

Depends On:
Blocks:	CVE-2010-2963
	Show dependency tree / graph

Reported:	2010-10-12 22:30 EDT by Eugene Teo (Security Response)
Modified:	2015-05-04 21:21 EDT (History)
CC List:	7 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	A vulnerability was discovered in the 32-bit compatibility code for the VIDIOCSMICROCODE IOCTL (Input/Output Control) in the Video4Linux implementation. It does not affect Red Hat Enterprise Linux 5, but as a preventive measure, this update removes the code. Red Hat would like to thank Kees Cook for reporting this vulnerability.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2010-11-09 13:09:40 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2010:0839	normal	SHIPPED_LIVE	Moderate: kernel security and bug fix update	2010-11-09 13:06:20 EST

Groups: None (edit)

Comment 1 Mauro Carvalho Chehab 2010-10-13 12:55:20 EDT

Ok, only Stradis driver actually uses it. I doubt that stradis still work
nowadays, and it is not compiled on RHEL5/RHEL6. Need to check mrg. Patch is as
simple as remove the compat bits for this ioctl.

Comment 2 Jiri Pirko 2010-10-13 16:12:38 EDT

(In reply to comment #1)
> Ok, only Stradis driver actually uses it. I doubt that stradis still work
> nowadays, and it is not compiled on RHEL5/RHEL6.

Well in that case we may close this as notabug, right Eugene?

Comment 3 Mauro Carvalho Chehab 2010-10-13 17:16:03 EDT

(In reply to comment #2)
> (In reply to comment #1)
> > Ok, only Stradis driver actually uses it. I doubt that stradis still work
> > nowadays, and it is not compiled on RHEL5/RHEL6.
> 
> Well in that case we may close this as notabug, right Eugene?

No, we can't. The v4l2-compat layer is called for all V4L2 drivers. The other drivers will return an error code for a VIDIOCSMICROCODE call, but, as the bug is at compat layer, it will affect any system with a V4L hardware.

The effects are limited to machines with some V4L hardware (like a webcam or a TV capture board), so, it affects more workstations and notebooks with RHEL.

Comment 4 Eugene Teo (Security Response) 2010-10-13 20:58:06 EDT

rhel5/drivers/media/video/compat_ioctl32.c
static inline int microcode32(struct video_code *kp, struct video_code32 __user *up)
{
        if(!access_ok(VERIFY_READ, up, sizeof(struct video_code32)) ||
                copy_from_user(kp->loadwhat, up->loadwhat, sizeof (up->loadwhat)) ||
                get_user(kp->datasize, &up->datasize) ||
                copy_from_user(kp->data, up->data, up->datasize))
                        return -EFAULT;
        return 0;
}

$ grep compat_ioctl32 Makefile 
obj-$(CONFIG_VIDEO_DEV) += videodev.o v4l2-common.o compat_ioctl32.o

#ifdef CONFIG_VIDEO_V4L1_COMPAT
        case VIDIOCSMICROCODE:
                err = microcode32(&karg.vc, up);
                compatible_arg = 0;
                break;
#endif  

CONFIG_VIDEO_V4L1_COMPAT=y

Comment 5 Eugene Teo (Security Response) 2010-10-13 21:01:08 EDT

Even if no drivers uses it, we should just disable it.

Comment 8 Jiri Pirko 2010-10-16 05:05:25 EDT

in kernel 2.6.18-194.21.1.el5

linux-2.6-v4l-remove-compat-code-for-vidiocsmicrocode.patch

Comment 11 Eugene Teo (Security Response) 2010-11-08 23:51:31 EST

See https://bugzilla.redhat.com/show_bug.cgi?id=642465#c8. Thanks.

Comment 13 errata-xmlrpc 2010-11-09 13:09:40 EST

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2010-0839.html

Comment 14 Martin Prpič 2010-11-11 09:09:40 EST

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
A vulnerability was discovered in the 32-bit compatibility code for the VIDIOCSMICROCODE IOCTL (Input/Output Control) in the Video4Linux implementation. It does not affect Red Hat Enterprise Linux 5, but as a preventive measure, this update removes the code. Red Hat would like to thank Kees Cook for reporting this vulnerability.

Note You need to log in before you can comment on or make changes to this bug.