Bug 1743598 (CVE-2010-5331) - CVE-2010-5331 kernel: range check issue in drivers/gpu/drm/radeon/atombios.c leads to buffer overflow
Summary: CVE-2010-5331 kernel: range check issue in drivers/gpu/drm/radeon/atombios.c ...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2010-5331
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1743600
Blocks: 1743602
TreeView+ depends on / blocked
 
Reported: 2019-08-20 09:48 UTC by Dhananjay Arunesh
Modified: 2021-02-16 21:29 UTC (History)
46 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the Linux kernel where a range check issue in drivers/gpu/drm/radeon/atombios.c could cause an off by one buffer overflow problem. It has been determined that this flaw is cannot be influenced by an attacker.
Clone Of:
Environment:
Last Closed: 2020-02-20 08:09:34 UTC


Attachments (Terms of Use)

Description Dhananjay Arunesh 2019-08-20 09:48:09 UTC
A vulnerability was found in the Linux kernel, a range check issue in drivers/gpu/drm/radeon/atombios.c could cause an off by one (buffer overflow) problem.

Reference:
https://mirrors.edge.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.34
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0031c41be5c529f8329e327b63cde92ba1284842
https://github.com/torvalds/linux/commit/0031c41be5c529f8329e327b63cde92ba1284842

Comment 1 Dhananjay Arunesh 2019-08-20 09:48:57 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1743600]

Comment 2 Justin M. Forbes 2019-08-20 12:54:24 UTC
This was fixed for Fedora in 2.6.34, and never present in any currently supported version of Fedora.

Comment 3 Wade Mealing 2020-02-20 03:21:44 UTC
Some background:

This would only affect systems with the Radeon series graphics cards, Nvidia, Intel, and other graphics card vendors that are not affected by this flaw.  The "AtomBIOS" is a section of PCI configuration space (has a likeness to ACPI)  where the operating system can use the code stored there to issue commands for the AMD video card to configure itself.  These commands provide a method for the driver to configure the graphics card without having to know the specific registers and values to write on a per-card basis.

But I digress, I think that this CVE is incorrectly assigned it should be disputed.

The problem:

bool radeon_atom_get_tv_timings(struct radeon_device *rdev, int index,  <-- THIS VALUE - INDEX
                                struct drm_display_mode *mode)
{

<snip>

+		if (index >= MAX_SUPPORTED_TV_TIMING)

<snip>

}


^ The fix is to check that the index is not greater than a hardcoded value.

So, lets take a look at how that's called, in two places:


1) atombios_encoders.c radeon_atom_mode_fixup	 line 333 radeon_atom_get_tv_timings(rdev, 0, adjusted_mode);
2) atombios_encoders.c radeon_atom_mode_fixup	 line 335 radeon_atom_get_tv_timings(rdev, 1, adjusted_mode);

Index, the second parameter is -hard coded- which as far as I can see as declared in atombios.h, so I checked that maybe it was user controllable at some time, it was introduced in commit 3f03ced880879 and never changed, so.. maybe MAX_SUPPORTED_TV_TIMING was different at some point ?

So lets look for that..

4193 #define MAX_SUPPORTED_TV_TIMING 2

Which was added by the commit 771fe6b912fca, which is the initial introduction of this patch. This value has never changed.

I have written to Mitre to reject this CVE on this grounds, It is my recommendation that Red Hat not fix this flaw as it a misuse of engineering time.

References:
https://wiki.osdev.org/AMD_Atombios
https://www.kernel.org/doc/html/v4.15/gpu/drm-kms.html

Comment 5 Product Security DevOps Team 2020-02-20 08:09:34 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2010-5331

Comment 6 Eric Christensen 2020-02-27 14:03:15 UTC
Statement:

Red Hat will not be fixing this flaw as it has been analyzed as not affecting any version of Linux.


Note You need to log in before you can comment on or make changes to this bug.