Bug 477171 (CVE-2008-5744) - CVE-2008-5744 zaptel: Array index error in tor2 zaptel driver (incomplete fix for CVE-2008-5396)
Summary: CVE-2008-5744 zaptel: Array index error in tor2 zaptel driver (incomplete fix...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2008-5744
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://bugs.digium.com/view.php?id=13...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-12-19 13:50 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:28 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-01-20 18:45:45 UTC


Attachments (Terms of Use)

Description Jan Lieskovsky 2008-12-19 13:50:41 UTC
Eugene Teo discovered the latest upstream patch

http://bugs.digium.com/file_download.php?file_id=20796&type=bug

for zaptel tor2 driver and for CVE-2008-5396 was incomplete.

+	if ((lc->sync < 0) || (lc->sync >= MAX_TOR_CARDS)) {
+		printk(KERN_WARNING "%s %d: invalid span timing value %d.\n",
+				THIS_MODULE->name, span->spanno, lc->sync);
+		return -EINVAL;
+	}

We added check, so the lc->sync could be in the range only of 0-63.

But then later in code, the tor2 driver contains this part:

    216         /* if a sync src, put it in the proper place */
    217         if (lc->sync) {
    218                 p->tor->syncs[lc->sync - 1] = span->spanno;
    219                 p->tor->psyncs[lc->sync - 1] = p->span + 1;
    220         }

But p->tor->syncs/psyncs is defined as array, that could contain only
four items:

     79 struct tor2 {
     80         /* This structure exists one per card */
     81         struct pci_dev *pci;            /* Pointer to PCI device */
     82         int num;                        /* Which card we are */
     83         int syncsrc;                    /* active sync source */
     84         int syncs[SPANS_PER_CARD];      /* sync sources */
     85         int psyncs[SPANS_PER_CARD];     /* span-relative sync sources */

where 'SPANS_PER_CARD' is defined as:
zaptel-1.4.9/kernel/tor2.c:#define SPANS_PER_CARD  4

so if the lc->sync would be higher than 5 (lc->sync -1) index of this
array would overflow.

References:
http://bugs.digium.com/view.php?id=13954#96700
http://bugs.digium.com/view.php?id=13954
http://www.openwall.com/lists/oss-security/2008/12/19/2

Upstream patch: 
http://svn.digium.com/view/dahdi?view=rev&revision=5590

Comment 1 Jan Lieskovsky 2008-12-19 13:51:23 UTC
This issue affects all versions of the zaptel package, as shipped
with Fedora releases of 8, 9 and 10.

This issue affects the version of the zaptel package, as shipped
with Fedora Extra Packages for Enterprise Linux 5 (EPEL 5) project.

Please update the packages.

Comment 2 Tomas Hoger 2009-01-20 18:30:49 UTC
The original issue - CVE-2008-5396 - does not seem to have been addressed in Fedora in any way.  If the corrected patch is used (assuming it's needed at all, see bug #475446#c6), there's no need to care about this CVE too much.

Comment 3 Tomas Hoger 2009-01-20 18:45:45 UTC
Kernel drivers not shipped in Fedora:
  https://bugzilla.redhat.com/show_bug.cgi?id=475446#c6

Closing.


Note You need to log in before you can comment on or make changes to this bug.