CVE-2010-4157
Bug #711797 reported by
Andy Whitcroft
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Invalid
|
Medium
|
Andy Whitcroft | ||
Dapper |
Won't Fix
|
Medium
|
Andy Whitcroft | ||
Hardy |
Fix Released
|
Medium
|
Andy Whitcroft | ||
Karmic |
Fix Released
|
Medium
|
Andy Whitcroft | ||
Lucid |
Fix Released
|
Medium
|
Andy Whitcroft | ||
Maverick |
Fix Released
|
Medium
|
Andy Whitcroft | ||
Natty |
Invalid
|
Medium
|
Andy Whitcroft | ||
linux-fsl-imx51 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Dapper |
Invalid
|
Undecided
|
Unassigned | ||
Hardy |
Invalid
|
Undecided
|
Unassigned | ||
Karmic |
Won't Fix
|
Undecided
|
Unassigned | ||
Lucid |
Fix Released
|
Undecided
|
Unassigned | ||
Maverick |
Invalid
|
Undecided
|
Unassigned | ||
Natty |
Invalid
|
Undecided
|
Unassigned | ||
linux-ti-omap4 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Dapper |
Invalid
|
Undecided
|
Unassigned | ||
Hardy |
Invalid
|
Undecided
|
Unassigned | ||
Karmic |
Invalid
|
Undecided
|
Unassigned | ||
Lucid |
Invalid
|
Undecided
|
Unassigned | ||
Maverick |
Won't Fix
|
Undecided
|
Unassigned | ||
Natty |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Integer overflow in the ioc_general function in drivers/scsi/gdth.c in the
Linux kernel before 2.6.36.1 on 64-bit platforms allows local users to
cause a denial of service (memory corruption) or possibly have unspecified
other impact via a large argument in an ioctl call.
CVE References
- 2010-0435
- 2010-2943
- 2010-3296
- 2010-3297
- 2010-3448
- 2010-3698
- 2010-3699
- 2010-3848
- 2010-3849
- 2010-3850
- 2010-3858
- 2010-3859
- 2010-3865
- 2010-3873
- 2010-3874
- 2010-3875
- 2010-3876
- 2010-3877
- 2010-3880
- 2010-4072
- 2010-4074
- 2010-4076
- 2010-4077
- 2010-4078
- 2010-4079
- 2010-4080
- 2010-4081
- 2010-4082
- 2010-4083
- 2010-4157
- 2010-4160
- 2010-4164
- 2010-4165
- 2010-4169
- 2010-4248
- 2010-4258
- 2010-4342
- 2010-4346
- 2010-4527
- 2010-4529
- 2010-4565
- 2010-4656
- 2011-0463
- 2011-0521
- 2011-0695
- 2011-0711
- 2011-0712
- 2011-1017
Changed in linux (Ubuntu Hardy): | |
status: | New → In Progress |
assignee: | nobody → Andy Whitcroft (apw) |
Changed in linux (Ubuntu Dapper): | |
assignee: | nobody → Andy Whitcroft (apw) |
status: | New → In Progress |
Changed in linux (Ubuntu Hardy): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Karmic): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Dapper): | |
status: | In Progress → Fix Committed |
Changed in linux-ti-omap4 (Ubuntu): | |
status: | New → Invalid |
Changed in linux-ti-omap4 (Ubuntu Dapper): | |
status: | New → Invalid |
Changed in linux-ti-omap4 (Ubuntu Hardy): | |
status: | New → Invalid |
Changed in linux-ti-omap4 (Ubuntu Karmic): | |
status: | New → Invalid |
Changed in linux-ti-omap4 (Ubuntu Lucid): | |
status: | New → Invalid |
Changed in linux-ti-omap4 (Ubuntu Natty): | |
status: | New → Invalid |
Changed in linux-ti-omap4 (Ubuntu Maverick): | |
status: | New → In Progress |
tags: |
added: kernel-cve-tracking-bug removed: kernel-cve-tracker |
Changed in linux (Ubuntu Dapper): | |
status: | Fix Committed → Won't Fix |
Changed in linux-ti-omap4 (Ubuntu Maverick): | |
status: | In Progress → Won't Fix |
To post a comment you must log in.
Upstream commit as below:
commit f63ae56e4e97fb1 2053590e41a4fa5 9e7daa74a4
Author: Dan Carpenter <email address hidden>
Date: Fri Oct 8 09:03:07 2010 +0200
[SCSI] gdth: integer overflow in ioctl
gdth_ ioctl_alloc( ) takes the size variable as an int. from_user( ) takes the size variable as an unsigned long.
copy_
gen.data_len and gen.sense_len are unsigned longs.
On x86_64 longs are 64 bit and ints are 32 bit.
We could pass in a very large number and the allocation would truncate from_user( ), it would result in a memory corruption.
the size to 32 bits and allocate a small buffer. Then when we do the
copy_
CC: <email address hidden>
Signed-off-by: Dan Carpenter <email address hidden>
Signed-off-by: James Bottomley <email address hidden>