Bug 679925 (CVE-2011-1013) - CVE-2011-1013 kernel: drm_modeset_ctl signedness issue
Summary: CVE-2011-1013 kernel: drm_modeset_ctl signedness issue
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-1013
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: public=20110222,reported=20110223,sou...
Depends On: 679927 679928 679929
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-02-23 21:21 UTC by Petr Matousek
Modified: 2019-06-08 18:45 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-03-26 15:57:31 UTC


Attachments (Terms of Use)
OpenBSD proposed patch (1.40 KB, patch)
2011-02-23 21:24 UTC, Petr Matousek
no flags Details | Diff
Linux proposed patch (1.49 KB, patch)
2011-02-23 22:47 UTC, Petr Matousek
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0498 normal SHIPPED_LIVE Important: kernel security, bug fix, and enhancement update 2011-05-10 18:10:04 UTC
Red Hat Product Errata RHSA-2011:0500 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2011-05-10 17:18:23 UTC

Description Petr Matousek 2011-02-23 21:21:40 UTC
Description:
It has been found that drm_modeset_ctl() did not properly validate input parameters. The issue is that the crtc variable there is signed. So a large enough value passed in the modeset parameter structure will be treated as negative, escaping the check for proper range later. This variable is later used as an index variable effectively allowing out of bounds writes of zero integers.

Comment 3 Petr Matousek 2011-02-23 21:24:51 UTC
Created attachment 480579 [details]
OpenBSD proposed patch

Comment 4 Petr Matousek 2011-02-23 21:29:09 UTC
Statement:

This issue did not affect the versions of the Linux kernel as shipped with Red
Hat Enterprise Linux 4, 5 as they did not include the affected functionality. A future update in Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG may address this flaw.

Comment 6 Petr Matousek 2011-02-23 22:47:09 UTC
Created attachment 480596 [details]
Linux proposed patch

Comment 9 Petr Matousek 2011-04-11 08:55:06 UTC
Upstream commit:
http://git.kernel.org/linus/1922756124ddd53846877416d92ba4a802bc658f

Comment 11 errata-xmlrpc 2011-05-10 17:20:30 UTC
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2011:0500 https://rhn.redhat.com/errata/RHSA-2011-0500.html

Comment 12 errata-xmlrpc 2011-05-10 18:11:36 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0498 https://rhn.redhat.com/errata/RHSA-2011-0498.html


Note You need to log in before you can comment on or make changes to this bug.