679925 – (CVE-2011-1013) CVE-2011-1013 kernel: drm_modeset_ctl signedness issue

Bug 679925 (CVE-2011-1013) - CVE-2011-1013 kernel: drm_modeset_ctl signedness issue

Summary: CVE-2011-1013 kernel: drm_modeset_ctl signedness issue

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2011-1013
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	679927 679928 679929
Blocks:
TreeView+	depends on / blocked

Reported:	2011-02-23 21:21 UTC by Petr Matousek
Modified:	2021-02-24 16:28 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-03-26 15:57:31 UTC
Embargoed:

Attachments	(Terms of Use)
OpenBSD proposed patch (1.40 KB, patch) 2011-02-23 21:24 UTC, Petr Matousek	no flags	Details \| Diff
Linux proposed patch (1.49 KB, patch) 2011-02-23 22:47 UTC, Petr Matousek	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:0498	0	normal	SHIPPED_LIVE	Important: kernel security, bug fix, and enhancement update	2011-05-10 18:10:04 UTC
Red Hat Product Errata	RHSA-2011:0500	0	normal	SHIPPED_LIVE	Important: kernel-rt security and bug fix update	2011-05-10 17:18:23 UTC

Description Petr Matousek 2011-02-23 21:21:40 UTC

Description:
It has been found that drm_modeset_ctl() did not properly validate input parameters. The issue is that the crtc variable there is signed. So a large enough value passed in the modeset parameter structure will be treated as negative, escaping the check for proper range later. This variable is later used as an index variable effectively allowing out of bounds writes of zero integers.

Comment 3 Petr Matousek 2011-02-23 21:24:51 UTC

Created attachment 480579 [details]
OpenBSD proposed patch

Comment 4 Petr Matousek 2011-02-23 21:29:09 UTC

Statement:

This issue did not affect the versions of the Linux kernel as shipped with Red
Hat Enterprise Linux 4, 5 as they did not include the affected functionality. A future update in Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG may address this flaw.

Comment 6 Petr Matousek 2011-02-23 22:47:09 UTC

Created attachment 480596 [details]
Linux proposed patch

Comment 7 Eugene Teo (Security Response) 2011-02-24 06:17:48 UTC

http://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/pci/drm/drm_irq.c.diff?r1=1.41;r2=1.42;f=h

Comment 9 Petr Matousek 2011-04-11 08:55:06 UTC

Upstream commit:
http://git.kernel.org/linus/1922756124ddd53846877416d92ba4a802bc658f

Comment 11 errata-xmlrpc 2011-05-10 17:20:30 UTC

This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2011:0500 https://rhn.redhat.com/errata/RHSA-2011-0500.html

Comment 12 errata-xmlrpc 2011-05-10 18:11:36 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0498 https://rhn.redhat.com/errata/RHSA-2011-0498.html

Note You need to log in before you can comment on or make changes to this bug.