CVE-2010-2803: Infoleak
First published: Thu Aug 05 2010(Updated: )
Description of problem: There is a problem with the ioctl subsystem for drm, though it is most explicitly exposed by the intel GEM driver. Under driver-defined ioctls, drm does not sanitize the ioctl command, allowing the caller to specify how much memory should be kmalloc'd and copied back to the caller, regardless of what the driver ioctl actually does (it doesn't even need to succeed). drivers/gpu/drm/drm_drv.c long drm_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) ... unsigned int nr = DRM_IOCTL_NR(cmd); ... if ((nr >= DRM_COMMAND_BASE) && (nr < DRM_COMMAND_END) && (nr < DRM_COMMAND_BASE + dev->driver->num_ioctls)) ioctl = &dev->driver->ioctls[nr - DRM_COMMAND_BASE]; ... if (cmd & (IOC_IN | IOC_OUT)) { if (_IOC_SIZE(cmd) <= sizeof(stack_kdata)) { kdata = stack_kdata; } else { kdata = kmalloc(_IOC_SIZE(cmd), GFP_KERNEL); ... } } ... retcode = func(dev, kdata, file_priv); ... if (cmd & IOC_OUT) { if (copy_to_user((void __user *)arg, kdata, _IOC_SIZE(cmd)) != 0) retcode = -EFAULT; } "cmd" is caller-controlled, and can do whatever it likes for _IOC_SIZE(cmd), IOC_IN and IOC_OUT, resulting in leakage of previously freed kernel heap memory contents up to 16K in size.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/linux-2.6 | ||
| Linux Linux kernel | <2.6.27.53 | |
| Linux Linux kernel | >=2.6.32<2.6.32.21 | |
| Linux Linux kernel | >=2.6.34<2.6.34.6 | |
| Linux Linux kernel | >=2.6.35<2.6.35.4 | |
| Debian Debian Linux | =5.0 | |
| openSUSE openSUSE | =11.1 | |
| openSUSE openSUSE | =11.3 | |
| SUSE Linux Enterprise Desktop | =11-sp1 | |
| Suse Linux Enterprise High Availability Extension | =11-sp1 | |
| Suse Linux Enterprise Real Time | =11-sp1 | |
| SUSE Linux Enterprise Server | =11-sp1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://git.kernel.org/?p=linux/kernel/git/airlied/drm-2.6.git;a=commitdiff;h=b9f0aee83335db1f3915f4e42a5e21b351740afd
- http://git.kernel.org/?p=linux/kernel/git/airlied/drm-2.6.git;a=commitdiff;h=1b2f1489633888d4a06028315dc19d65768a1c05
- http://git.kernel.org/linus/b9f0aee83335db1f3915f4e42a5e21b351740afd
- http://git.kernel.org/linus/2854eedae2ff35d95e8923bebdb942bbd537c54f
- http://git.kernel.org/linus/1b2f1489633888d4a06028315dc19d65768a1c05
- https://rhn.redhat.com/errata/RHSA-2010-0842.html
- https://bugzilla.redhat.com/show_bug.cgi?id=621435
- http://secunia.com/advisories/41512
- http://www.vupen.com/english/advisories/2010/2430
- http://www.vupen.com/english/advisories/2011/0298
- http://www.debian.org/security/2010/dsa-2094
- http://www.mandriva.com/security/advisories?name=MDVSA-2010:198
- http://www.redhat.com/support/errata/RHSA-2010-0842.html
- http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00004.html
- http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00005.html
- http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00000.html
- http://git.kernel.org/?p=linux/kernel/git/airlied/drm-2.6.git%3Ba=commit%3Bh=1b2f1489633888d4a06028315dc19d65768a1c05
- http://git.kernel.org/?p=linux/kernel/git/airlied/drm-2.6.git%3Ba=commit%3Bh=b9f0aee83335db1f3915f4e42a5e21b351740afd
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=b9f0aee83335db1f3915f4e42a5e21b351740afd
- http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27.53
- http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.32.21
- http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.34.6
- http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.35.4
- https://launchpad.net/bugs/cve/CVE-2010-2803
- https://security-tracker.debian.org/tracker/CVE-2010-2803
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2803
- https://nvd.nist.gov/vuln/detail/CVE-2010-2803
- https://ubuntu.com/security/CVE-2010-2803
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2010-2803
- collector/launchpad-cve
- source/Launchpad
- agent/author
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- agent/weakness
- agent/severity
- agent/remedy
- agent/description
- agent/event
- agent/references
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-historical
- collector/nvd-index
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- package-manager/debian
- vendor/linux
- canonical/linux linux kernel
- version/linux linux kernel/2.6.32
- version/linux linux kernel/2.6.34
- version/linux linux kernel/2.6.35
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/5.0
- vendor/opensuse
- canonical/opensuse opensuse
- version/opensuse opensuse/11.1
- version/opensuse opensuse/11.3
- vendor/suse
- canonical/suse linux enterprise desktop
- version/suse linux enterprise desktop/11-sp1
- canonical/suse linux enterprise high availability extension
- version/suse linux enterprise high availability extension/11-sp1
- canonical/suse linux enterprise real time
- version/suse linux enterprise real time/11-sp1
- canonical/suse linux enterprise server
- version/suse linux enterprise server/11-sp1