A vulnerability was found in the Linux kernel, a range check issue in drivers/gpu/drm/radeon/atombios.c could cause an off by one (buffer overflow) problem.
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1743600]
This was fixed for Fedora in 2.6.34, and never present in any currently supported version of Fedora.
This would only affect systems with the Radeon series graphics cards, Nvidia, Intel, and other graphics card vendors that are not affected by this flaw. The "AtomBIOS" is a section of PCI configuration space (has a likeness to ACPI) where the operating system can use the code stored there to issue commands for the AMD video card to configure itself. These commands provide a method for the driver to configure the graphics card without having to know the specific registers and values to write on a per-card basis.
But I digress, I think that this CVE is incorrectly assigned it should be disputed.
bool radeon_atom_get_tv_timings(struct radeon_device *rdev, int index, <-- THIS VALUE - INDEX
struct drm_display_mode *mode)
+ if (index >= MAX_SUPPORTED_TV_TIMING)
^ The fix is to check that the index is not greater than a hardcoded value.
So, lets take a look at how that's called, in two places:
1) atombios_encoders.c radeon_atom_mode_fixup line 333 radeon_atom_get_tv_timings(rdev, 0, adjusted_mode);
2) atombios_encoders.c radeon_atom_mode_fixup line 335 radeon_atom_get_tv_timings(rdev, 1, adjusted_mode);
Index, the second parameter is -hard coded- which as far as I can see as declared in atombios.h, so I checked that maybe it was user controllable at some time, it was introduced in commit 3f03ced880879 and never changed, so.. maybe MAX_SUPPORTED_TV_TIMING was different at some point ?
So lets look for that..
4193 #define MAX_SUPPORTED_TV_TIMING 2
Which was added by the commit 771fe6b912fca, which is the initial introduction of this patch. This value has never changed.
I have written to Mitre to reject this CVE on this grounds, It is my recommendation that Red Hat not fix this flaw as it a misuse of engineering time.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
Red Hat will not be fixing this flaw as it has been analyzed as not affecting any version of Linux.