642470 – CVE-2010-2963 kernel: v4l: VIDIOCSMICROCODE arbitrary write [rhel-5.5.z]

Bug 642470 - CVE-2010-2963 kernel: v4l: VIDIOCSMICROCODE arbitrary write [rhel-5.5.z]

Summary: CVE-2010-2963 kernel: v4l: VIDIOCSMICROCODE arbitrary write [rhel-5.5.z]

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	kernel
Sub Component:
Version:	5.5
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Jiri Pirko
QA Contact:	Red Hat Kernel QE team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	CVE-2010-2963
TreeView+	depends on / blocked

Reported:	2010-10-13 02:30 UTC by Eugene Teo (Security Response)
Modified:	2015-05-05 01:21 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	A vulnerability was discovered in the 32-bit compatibility code for the VIDIOCSMICROCODE IOCTL (Input/Output Control) in the Video4Linux implementation. It does not affect Red Hat Enterprise Linux 5, but as a preventive measure, this update removes the code. Red Hat would like to thank Kees Cook for reporting this vulnerability.
Clone Of:
Environment:
Last Closed:	2010-11-09 18:09:40 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2010:0839	0	normal	SHIPPED_LIVE	Moderate: kernel security and bug fix update	2010-11-09 18:06:20 UTC

Comment 1 Mauro Carvalho Chehab 2010-10-13 16:55:20 UTC

Ok, only Stradis driver actually uses it. I doubt that stradis still work
nowadays, and it is not compiled on RHEL5/RHEL6. Need to check mrg. Patch is as
simple as remove the compat bits for this ioctl.

Comment 2 Jiri Pirko 2010-10-13 20:12:38 UTC

(In reply to comment #1)
> Ok, only Stradis driver actually uses it. I doubt that stradis still work
> nowadays, and it is not compiled on RHEL5/RHEL6.

Well in that case we may close this as notabug, right Eugene?

Comment 3 Mauro Carvalho Chehab 2010-10-13 21:16:03 UTC

(In reply to comment #2)
> (In reply to comment #1)
> > Ok, only Stradis driver actually uses it. I doubt that stradis still work
> > nowadays, and it is not compiled on RHEL5/RHEL6.
> 
> Well in that case we may close this as notabug, right Eugene?

No, we can't. The v4l2-compat layer is called for all V4L2 drivers. The other drivers will return an error code for a VIDIOCSMICROCODE call, but, as the bug is at compat layer, it will affect any system with a V4L hardware.

The effects are limited to machines with some V4L hardware (like a webcam or a TV capture board), so, it affects more workstations and notebooks with RHEL.

Comment 4 Eugene Teo (Security Response) 2010-10-14 00:58:06 UTC

rhel5/drivers/media/video/compat_ioctl32.c
static inline int microcode32(struct video_code *kp, struct video_code32 __user *up)
{
        if(!access_ok(VERIFY_READ, up, sizeof(struct video_code32)) ||
                copy_from_user(kp->loadwhat, up->loadwhat, sizeof (up->loadwhat)) ||
                get_user(kp->datasize, &up->datasize) ||
                copy_from_user(kp->data, up->data, up->datasize))
                        return -EFAULT;
        return 0;
}

$ grep compat_ioctl32 Makefile 
obj-$(CONFIG_VIDEO_DEV) += videodev.o v4l2-common.o compat_ioctl32.o

#ifdef CONFIG_VIDEO_V4L1_COMPAT
        case VIDIOCSMICROCODE:
                err = microcode32(&karg.vc, up);
                compatible_arg = 0;
                break;
#endif  

CONFIG_VIDEO_V4L1_COMPAT=y

Comment 5 Eugene Teo (Security Response) 2010-10-14 01:01:08 UTC

Even if no drivers uses it, we should just disable it.

Comment 8 Jiri Pirko 2010-10-16 09:05:25 UTC

in kernel 2.6.18-194.21.1.el5

linux-2.6-v4l-remove-compat-code-for-vidiocsmicrocode.patch

Comment 11 Eugene Teo (Security Response) 2010-11-09 04:51:31 UTC

See https://bugzilla.redhat.com/show_bug.cgi?id=642465#c8. Thanks.

Comment 13 errata-xmlrpc 2010-11-09 18:09:40 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2010-0839.html

Comment 14 Martin Prpič 2010-11-11 14:09:40 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
A vulnerability was discovered in the 32-bit compatibility code for the VIDIOCSMICROCODE IOCTL (Input/Output Control) in the Video4Linux implementation. It does not affect Red Hat Enterprise Linux 5, but as a preventive measure, this update removes the code. Red Hat would like to thank Kees Cook for reporting this vulnerability.

Note You need to log in before you can comment on or make changes to this bug.