Bug 772894 (CVE-2012-0044) - CVE-2012-0044 kernel: drm: integer overflow in drm_mode_dirtyfb_ioctl()
Summary: CVE-2012-0044 kernel: drm: integer overflow in drm_mode_dirtyfb_ioctl()
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-0044
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 773249 773250 773251 773252 782683 827514
Blocks: 772889
TreeView+ depends on / blocked
 
Reported: 2012-01-10 09:18 UTC by Eugene Teo (Security Response)
Modified: 2023-05-11 18:24 UTC (History)
26 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-04-24 07:39:56 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:0333 0 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2012-02-24 01:21:35 UTC
Red Hat Product Errata RHSA-2012:0743 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2012-06-18 17:32:36 UTC
Red Hat Product Errata RHSA-2012:1042 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2012-06-26 22:40:37 UTC

Description Eugene Teo (Security Response) 2012-01-10 09:18:12 UTC 
There is a potential integer overflow in drm_mode_dirtyfb_ioctl() if userspace passes in a large num_clips.  The call to kmalloc would allocate a small buffer, and the call to fb->funcs->dirty may result in a memory corruption.

Reported-by: Haogang Chen <haogangchen>
Signed-off-by: Xi Wang <xi.wang>

Upstream commit:
http://git.kernel.org/linus/a5cd335165e31db9dbab636fd29895d41da55dd2

Acknowledgements:

Red Hat would like to thank Chen Haogang for reporting this issue.
Comment 3 Kurt Seifried 2012-01-12 00:13:50 UTC 
Added CVE-2012-0044 as per
http://www.openwall.com/lists/oss-security/2012/01/12/1
Comment 4 Petr Matousek 2012-01-12 14:57:01 UTC 
Statement:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 4 and 5 as they did not backport commit 884840aa that introduced this issue.
Comment 5 Eugene Teo (Security Response) 2012-01-18 07:09:59 UTC 
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 782683]
Comment 6 Eugene Teo (Security Response) 2012-02-17 06:57:14 UTC 
To exploit this, the user has to log in under X or otherwise has r/w access to
the dri path (group "video").
Comment 7 errata-xmlrpc 2012-02-23 20:24:07 UTC 
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2012:0333 https://rhn.redhat.com/errata/RHSA-2012-0333.html
Comment 10 errata-xmlrpc 2012-06-18 13:33:31 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0743 https://rhn.redhat.com/errata/RHSA-2012-0743.html
Comment 11 Thomas Lang 2012-06-22 12:18:09 UTC 
Is it possible to fix this bug without the new kernel from RedHat?
Comment 12 Petr Matousek 2012-06-25 06:52:11 UTC 
(In reply to comment #11)
> Is it possible to fix this bug without the new kernel from RedHat?

Sure. You can use upstream kernel that has this problem fixed (includes a5cd335165e31db9dbab636fd29895d41da55dd2 commit). You can even use recent Fedora kernels, they include the fix now as well.
Comment 13 errata-xmlrpc 2012-06-26 18:41:34 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.1 EUS - Server Only

Via RHSA-2012:1042 https://rhn.redhat.com/errata/RHSA-2012-1042.html
Note You need to log in before you can comment on or make changes to this bug.