Bug 772894 - (CVE-2012-0044) CVE-2012-0044 kernel: drm: integer overflow in drm_mode_dirtyfb_ioctl()
CVE-2012-0044 kernel: drm: integer overflow in drm_mode_dirtyfb_ioctl()
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20111123,repo...
: Security
Depends On: 773249 773250 773251 773252 782683 827514
Blocks: 772889
  Show dependency treegraph
 
Reported: 2012-01-10 04:18 EST by Eugene Teo (Security Response)
Modified: 2016-03-04 07:33 EST (History)
26 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-04-24 03:39:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Eugene Teo (Security Response) 2012-01-10 04:18:12 EST
There is a potential integer overflow in drm_mode_dirtyfb_ioctl() if userspace passes in a large num_clips.  The call to kmalloc would allocate a small buffer, and the call to fb->funcs->dirty may result in a memory corruption.

Reported-by: Haogang Chen <haogangchen@gmail.com>
Signed-off-by: Xi Wang <xi.wang@gmail.com>

Upstream commit:
http://git.kernel.org/linus/a5cd335165e31db9dbab636fd29895d41da55dd2

Acknowledgements:

Red Hat would like to thank Chen Haogang for reporting this issue.
Comment 3 Kurt Seifried 2012-01-11 19:13:50 EST
Added CVE-2012-0044 as per
http://www.openwall.com/lists/oss-security/2012/01/12/1
Comment 4 Petr Matousek 2012-01-12 09:57:01 EST
Statement:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 4 and 5 as they did not backport commit 884840aa that introduced this issue.
Comment 5 Eugene Teo (Security Response) 2012-01-18 02:09:59 EST
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 782683]
Comment 6 Eugene Teo (Security Response) 2012-02-17 01:57:14 EST
To exploit this, the user has to log in under X or otherwise has r/w access to
the dri path (group "video").
Comment 7 errata-xmlrpc 2012-02-23 15:24:07 EST
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2012:0333 https://rhn.redhat.com/errata/RHSA-2012-0333.html
Comment 10 errata-xmlrpc 2012-06-18 09:33:31 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0743 https://rhn.redhat.com/errata/RHSA-2012-0743.html
Comment 11 Thomas Lang 2012-06-22 08:18:09 EDT
Is it possible to fix this bug without the new kernel from RedHat?
Comment 12 Petr Matousek 2012-06-25 02:52:11 EDT
(In reply to comment #11)
> Is it possible to fix this bug without the new kernel from RedHat?

Sure. You can use upstream kernel that has this problem fixed (includes a5cd335165e31db9dbab636fd29895d41da55dd2 commit). You can even use recent Fedora kernels, they include the fix now as well.
Comment 13 errata-xmlrpc 2012-06-26 14:41:34 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.1 EUS - Server Only

Via RHSA-2012:1042 https://rhn.redhat.com/errata/RHSA-2012-1042.html

Note You need to log in before you can comment on or make changes to this bug.