CVE-2010-2478
published 2010-09-29CVE-2010-2478: Integer overflow in the ethtool_get_rxnfc function in net/core/ethtool.c in the Linux kernel before 2.6.33.7 on 32-bit platforms allows local users to cause a…
high7.2CVSS 3.1
AVLACLAuNCCICAC
Integer overflow in the ethtool_get_rxnfc function in net/core/ethtool.c in the Linux kernel before 2.6.33.7 on 32-bit platforms allows local users to cause a denial of service or possibly have unspecified other impact via an ETHTOOL_GRXCLSRLALL ethtool command with a large info.rule_cnt value that triggers a buffer overflow, a different vulnerability than CVE-2010-3084.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| linux | linux_kernel | < 2.6.36 | 2.6.36 |
| linux | linux_kernel | < 2.6.33.7 | 2.6.33.7 |
| opensuse | opensuse | — | — |
| opensuse | opensuse | — | — |
| suse | linux_enterprise_desktop | — | — |
| suse | linux_enterprise_real_time_extension | — | — |
| suse | linux_enterprise_server | — | — |
Ubuntu
Linux Kernel vulnerabilities (Marvell Dove)
vendor_ubuntu·2011-03-25·CVSS 7.2
CVE-2010-2478 [HIGH] Linux Kernel vulnerabilities (Marvell Dove)
Title: Linux Kernel vulnerabilities (Marvell Dove)
Summary: An attacker could send crafted input to the kernel and cause it to
crash.
Dan Rosenberg discovered that the RDS network protocol did not correctly
check certain parameters. A local attacker could exploit this gain root
privileges. (CVE-2010-3904)
Nelson Elhage discovered several problems with the Acorn Econet protocol
driver. A local user could cause a denial of service via a NULL pointer
dereference, escalate privileges by overflowing the kernel stack, and
assign Econet addresses to arbitrary interfaces. (CVE-2010-3848,
CVE-2010-3849, CVE-2010-3850)
Ben Hutchings discovered that the ethtool interface did not correctly check
certain sizes. A local attacker could perform malicious ioctl calls that
could crash the system, leadin
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2011-03-03·CVSS 4.7
CVE-2009-4895 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Multiple kernel flaws.
Dan Rosenberg discovered that the RDS network protocol did not correctly
check certain parameters. A local attacker could exploit this gain root
privileges. (CVE-2010-3904)
Nelson Elhage discovered several problems with the Acorn Econet protocol
driver. A local user could cause a denial of service via a NULL pointer
dereference, escalate privileges by overflowing the kernel stack, and
assign Econet addresses to arbitrary interfaces. (CVE-2010-3848,
CVE-2010-3849, CVE-2010-3850)
Ben Hawkes discovered that the Linux kernel did not correctly filter
registers on 64bit kernels when performing 32bit system calls. On a 64bit
system, a local attacker could manipulate 32bit system calls to gain root
privileges. (CVE-2010-3301)
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2011-02-28·CVSS 4.7
CVE-2009-4895 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Multiple kernel flaws.
Dan Rosenberg discovered that the RDS network protocol did not correctly
check certain parameters. A local attacker could exploit this gain root
privileges. (CVE-2010-3904)
Nelson Elhage discovered several problems with the Acorn Econet protocol
driver. A local user could cause a denial of service via a NULL pointer
dereference, escalate privileges by overflowing the kernel stack, and
assign Econet addresses to arbitrary interfaces. (CVE-2010-3848,
CVE-2010-3849, CVE-2010-3850)
Ben Hawkes discovered that the Linux kernel did not correctly filter
registers on 64bit kernels when performing 32bit system calls. On a 64bit
system, a local attacker could manipulate 32bit system calls to gain root
privileges. (CVE-2010-3301)
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2011-02-25·CVSS 4.7
CVE-2009-4895 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Multiple kernel flaws.
Al Viro discovered a race condition in the TTY driver. A local attacker
could exploit this to crash the system, leading to a denial of service.
(CVE-2009-4895)
Dan Rosenberg discovered that the MOVE_EXT ext4 ioctl did not correctly
check file permissions. A local attacker could overwrite append-only files,
leading to potential data loss. (CVE-2010-2066)
Dan Rosenberg discovered that the swapexit xfs ioctl did not correctly
check file permissions. A local attacker could exploit this to read from
write-only files, leading to a loss of privacy. (CVE-2010-2226)
Gael Delalleu, Rafal Wojtczuk, and Brad Spengler discovered that the memory
manager did not properly handle when applications grow stacks into adjacent
memory regi
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2010-10-19·CVSS 4.7
CVE-2010-2525 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Multiple security issues fixed.
Dan Rosenberg discovered that the RDS network protocol did not correctly
check certain parameters. A local attacker could exploit this gain root
privileges. (CVE-2010-3904)
Al Viro discovered a race condition in the TTY driver. A local attacker
could exploit this to crash the system, leading to a denial of service.
(CVE-2009-4895)
Dan Rosenberg discovered that the MOVE_EXT ext4 ioctl did not correctly
check file permissions. A local attacker could overwrite append-only files,
leading to potential data loss. (CVE-2010-2066)
Dan Rosenberg discovered that the swapexit xfs ioctl did not correctly
check file permissions. A local attacker could exploit this to read from
write-only files, leading to a loss of privac
Red Hat
kernel: heap contents leak from ETHTOOL_GRXCLSRLALL
vendor_redhat·2010-10-08·CVSS 7.2
CVE-2010-3861 [HIGH] kernel: heap contents leak from ETHTOOL_GRXCLSRLALL
kernel: heap contents leak from ETHTOOL_GRXCLSRLALL
The ethtool_get_rxnfc function in net/core/ethtool.c in the Linux kernel before 2.6.36 does not initialize a certain block of heap memory, which allows local users to obtain potentially sensitive information via an ETHTOOL_GRXCLSRLALL ethtool command with a large info.rule_cnt value, a different vulnerability than CVE-2010-2478.
Statement: This issue did not affect the versions of Linux kernel as shipped with Red Hat
Enterprise Linux 3 and 4, as they do not include support for the Neptune
Ethernet driver. It did not affect Red Hat Enterprise Linux 5 as it did not contain the upstream commit 0853ad66 that introduced this flaw.
Red Hat
kernel: ethtool: kernel buffer overflow in ETHTOOL_GRXCLSRLALL
vendor_redhat·2010-06-29·CVSS 7.2
CVE-2010-2478 [HIGH] CWE-190 kernel: ethtool: kernel buffer overflow in ETHTOOL_GRXCLSRLALL
kernel: ethtool: kernel buffer overflow in ETHTOOL_GRXCLSRLALL
Integer overflow in the ethtool_get_rxnfc function in net/core/ethtool.c in the Linux kernel before 2.6.33.7 on 32-bit platforms allows local users to cause a denial of service or possibly have unspecified other impact via an ETHTOOL_GRXCLSRLALL ethtool command with a large info.rule_cnt value that triggers a buffer overflow, a different vulnerability than CVE-2010-3084.
Statement: This issue did not affect the versions of Linux kernel as shipped with Red Hat
Enterprise Linux 3 and 4, as they do not include support for the Neptune
Ethernet driver. It did not affect Red Hat Enterprise Linux 5 and Red Hat
Enterprise MRG, as they do not contain the upstream commit 0853ad66 that
introduced this flaw.
GHSA
GHSA-jh48-465p-8xm7: Integer overflow in the ethtool_get_rxnfc function in net/core/ethtool
ghsa_unreviewed·2022-05-13·CVSS 7.2
CVE-2010-2478 [HIGH] CWE-190 GHSA-jh48-465p-8xm7: Integer overflow in the ethtool_get_rxnfc function in net/core/ethtool
Integer overflow in the ethtool_get_rxnfc function in net/core/ethtool.c in the Linux kernel before 2.6.33.7 on 32-bit platforms allows local users to cause a denial of service or possibly have unspecified other impact via an ETHTOOL_GRXCLSRLALL ethtool command with a large info.rule_cnt value that triggers a buffer overflow, a different vulnerability than CVE-2010-3084.
GHSA
GHSA-fp8j-xh66-8w79: The ethtool_get_rxnfc function in net/core/ethtool
ghsa_unreviewed·2022-05-13·CVSS 7.2
CVE-2010-3861 [HIGH] CWE-200 GHSA-fp8j-xh66-8w79: The ethtool_get_rxnfc function in net/core/ethtool
The ethtool_get_rxnfc function in net/core/ethtool.c in the Linux kernel before 2.6.36 does not initialize a certain block of heap memory, which allows local users to obtain potentially sensitive information via an ETHTOOL_GRXCLSRLALL ethtool command with a large info.rule_cnt value, a different vulnerability than CVE-2010-2478.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2010-3861 kernel: heap contents leak from ETHTOOL_GRXCLSRLALL
bugzilla·2010-10-26·CVSS 7.2
CVE-2010-3861 [HIGH] CVE-2010-3861 kernel: heap contents leak from ETHTOOL_GRXCLSRLALL
CVE-2010-3861 kernel: heap contents leak from ETHTOOL_GRXCLSRLALL
Description of problem:
Calling ETHTOOL_GRXCLSRLALL with a large rule_cnt will allocate kernel heap without clearing it. For the one driver (niu) that implements it, it will leave the unused portion of heap unchanged and copy the full contents back to userspace.
This is different from CVE-2010-2478, but was introduced at the same time
(0853ad66, 2.6.27-rc1).
Upstream commit:
http://git.kernel.org/linus/ae6df5f96a51818d6376da5307d773baeece4014
Acknowledgements:
Red Hat would like to thank Kees Cook for reporting this issue.
Discussion:
This is a follow-up of CVE-2010-2478. Also see https://bugzilla.redhat.com/show_bug.cgi?id=608950#c2.
Statement:
This issue did not affect the versions of Linux kernel as shipped with
Bugzilla
CVE-2010-2478 kernel: ethtool: kernel buffer overflow in ETHTOOL_GRXCLSRLALL
bugzilla·2010-06-29·CVSS 7.2
CVE-2010-2478 [HIGH] CVE-2010-2478 kernel: ethtool: kernel buffer overflow in ETHTOOL_GRXCLSRLALL
CVE-2010-2478 kernel: ethtool: kernel buffer overflow in ETHTOOL_GRXCLSRLALL
Description of problem:
On a 32-bit machine, info.rule_cnt >= 0x40000000 leads to integer overflow and the buffer may be smaller than needed. Since ETHTOOL_GRXCLSRLALL is unprivileged, this can presumably be used for at least denial of service.
Reference:
http://thread.gmane.org/gmane.linux.network/164869
Discussion:
ethtool_get_rxnfc() was introduced in v2.6.27-rc1 via:
netdev: Add support for rx flow hash configuration, using ethtool.
http://git.kernel.org/linus/0853ad66 v2.6.27-rc1
Also see, ethtool: Add RX pkt classification interface rxhash->rxnfc
http://git.kernel.org/linus/59089d8d
Only the niu (Neptune ethernet) driver uses this ioctl.
---
Statement:
This issue did not affect the versions of Linux
http://article.gmane.org/gmane.linux.network/164869http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=db048b69037e7fa6a7d9e95a1271a50dc08ae233http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00004.htmlhttp://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.33.7http://www.openwall.com/lists/oss-security/2010/06/29/1http://www.openwall.com/lists/oss-security/2010/06/29/3http://www.openwall.com/lists/oss-security/2010/06/30/17http://www.securityfocus.com/bid/41223http://www.ubuntu.com/usn/USN-1000-1https://bugzilla.redhat.com/show_bug.cgi?id=608950http://article.gmane.org/gmane.linux.network/164869http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=db048b69037e7fa6a7d9e95a1271a50dc08ae233http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00004.htmlhttp://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.33.7http://www.openwall.com/lists/oss-security/2010/06/29/1http://www.openwall.com/lists/oss-security/2010/06/29/3http://www.openwall.com/lists/oss-security/2010/06/30/17http://www.securityfocus.com/bid/41223http://www.ubuntu.com/usn/USN-1000-1https://bugzilla.redhat.com/show_bug.cgi?id=608950
2010-09-29
Published