CVE-2010-4649: Integer Overflow
First published: Fri Jan 07 2011(Updated: )
In ib_uverbs_poll_cq() code there is a potential integer overflow if userspace passes in a large cmd.ne. The calls to kmalloc() would allocate smaller buffers than intended, leading to memory corruption. There iss also an information leak if resp wasn't all used. Unprivileged userspace may call this function, although only if an RDMA device that uses this function is present. Fix this by copying CQ entries one at a time, which avoids the allocation entirely, and also by moving this copying into a function that makes sure to initialize all memory copied to userspace. Upstream commit: <a href="http://git.kernel.org/linus/7182afea8d1afd432a17c18162cc3fd441d0da93">http://git.kernel.org/linus/7182afea8d1afd432a17c18162cc3fd441d0da93</a>
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Linux kernel | <2.6.37 | |
| Redhat Enterprise Linux Server | =5.0 | |
| Redhat Enterprise Linux Workstation | =5.0 | |
| Redhat Enterprise Linux Desktop | =5.0 | |
| Redhat Enterprise Linux Server Aus | =5.6 | |
| Redhat Enterprise Linux Eus | =5.6 | |
| debian/linux-2.6 | ||
| debian/user-mode-linux |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.securityfocus.com/bid/46073
- http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.37
- https://bugzilla.redhat.com/show_bug.cgi?id=667916
- http://rhn.redhat.com/errata/RHSA-2011-0927.html
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=7182afea8d1afd432a17c18162cc3fd441d0da93
- http://git.kernel.org/linus/7182afea8d1afd432a17c18162cc3fd441d0da93
- https://access.redhat.com/security/cve/CVE-2010-4649
- https://access.redhat.com/security/cve/CVE-2011-1044
- https://rhn.redhat.com/errata/RHSA-2011-0330.html
- https://access.redhat.com/support/policy/updates/errata/
- https://rhn.redhat.com/errata/RHSA-2011-0927.html
- https://rhn.redhat.com/errata/RHSA-2011-0498.html
- https://launchpad.net/bugs/cve/CVE-2010-4649
- https://security-tracker.debian.org/tracker/CVE-2010-4649
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4649
- https://nvd.nist.gov/vuln/detail/CVE-2010-4649
- https://ubuntu.com/security/CVE-2010-4649
- collector/nvd-historical
- collector/nvd-index
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2010-4649
- collector/launchpad-cve
- source/Launchpad
- agent/author
- agent/softwarecombine
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- collector/nvd-cve
- source/NVD
- agent/event
- agent/description
- agent/severity
- agent/remedy
- agent/references
- agent/weakness
- agent/tags
- collector/usn-cve
- source/Ubuntu
- vendor/linux
- canonical/linux linux kernel
- vendor/redhat
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/5.0
- canonical/redhat enterprise linux workstation
- version/redhat enterprise linux workstation/5.0
- canonical/redhat enterprise linux desktop
- version/redhat enterprise linux desktop/5.0
- canonical/redhat enterprise linux server aus
- version/redhat enterprise linux server aus/5.6
- canonical/redhat enterprise linux eus
- version/redhat enterprise linux eus/5.6
- package-manager/debian