CVE-2010-2963: drivers/media/video/v4l2-compat-ioctl32.c in the Video4Linux (V4L) implementation in the Linux kernel before 2.6.36 on 64-bit platforms does not validate the…

CVE-2010-2954 [MEDIUM] Linux kernel (OMAP4) vulnerabilities Title: Linux kernel (OMAP4) vulnerabilities Summary: Multiple security flaws have been fixed in the OMAP4 port of the Linux kernel. Dan Rosenberg discovered that the RDS network protocol did not correctly check certain parameters. A local attacker could exploit this gain root privileges. (CVE-2010-3904) Nelson Elhage discovered several problems with the Acorn Econet protocol driver. A local user could cause a denial of service via a NULL pointer dereference, escalate privileges by overflowing the kernel stack, and assign Econet addresses to arbitrary interfaces. (CVE-2010-3848, CVE-2010-3849, CVE-2010-3850) Ben Hawkes discovered that the Linux kernel did not correctly validate memory ranges on 64bit kernels when allocating memory on behalf of 32bit system calls. On a 64bit system, a lo

CVE-2010-2478 [HIGH] Linux Kernel vulnerabilities (Marvell Dove) Title: Linux Kernel vulnerabilities (Marvell Dove) Summary: An attacker could send crafted input to the kernel and cause it to crash. Dan Rosenberg discovered that the RDS network protocol did not correctly check certain parameters. A local attacker could exploit this gain root privileges. (CVE-2010-3904) Nelson Elhage discovered several problems with the Acorn Econet protocol driver. A local user could cause a denial of service via a NULL pointer dereference, escalate privileges by overflowing the kernel stack, and assign Econet addresses to arbitrary interfaces. (CVE-2010-3848, CVE-2010-3849, CVE-2010-3850) Ben Hutchings discovered that the ethtool interface did not correctly check certain sizes. A local attacker could perform malicious ioctl calls that could crash the system, leadin

CVE-2009-4895 [MEDIUM] Linux kernel vulnerabilities Title: Linux kernel vulnerabilities Summary: Multiple kernel flaws. Dan Rosenberg discovered that the RDS network protocol did not correctly check certain parameters. A local attacker could exploit this gain root privileges. (CVE-2010-3904) Nelson Elhage discovered several problems with the Acorn Econet protocol driver. A local user could cause a denial of service via a NULL pointer dereference, escalate privileges by overflowing the kernel stack, and assign Econet addresses to arbitrary interfaces. (CVE-2010-3848, CVE-2010-3849, CVE-2010-3850) Ben Hawkes discovered that the Linux kernel did not correctly filter registers on 64bit kernels when performing 32bit system calls. On a 64bit system, a local attacker could manipulate 32bit system calls to gain root privileges. (CVE-2010-3301)

CVE-2009-4895 [MEDIUM] Linux kernel vulnerabilities Title: Linux kernel vulnerabilities Summary: Multiple kernel flaws. Dan Rosenberg discovered that the RDS network protocol did not correctly check certain parameters. A local attacker could exploit this gain root privileges. (CVE-2010-3904) Nelson Elhage discovered several problems with the Acorn Econet protocol driver. A local user could cause a denial of service via a NULL pointer dereference, escalate privileges by overflowing the kernel stack, and assign Econet addresses to arbitrary interfaces. (CVE-2010-3848, CVE-2010-3849, CVE-2010-3850) Ben Hawkes discovered that the Linux kernel did not correctly filter registers on 64bit kernels when performing 32bit system calls. On a 64bit system, a local attacker could manipulate 32bit system calls to gain root privileges. (CVE-2010-3301)

CVE-2009-4895 [MEDIUM] Linux kernel vulnerabilities Title: Linux kernel vulnerabilities Summary: Multiple kernel flaws. Al Viro discovered a race condition in the TTY driver. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2009-4895) Dan Rosenberg discovered that the MOVE_EXT ext4 ioctl did not correctly check file permissions. A local attacker could overwrite append-only files, leading to potential data loss. (CVE-2010-2066) Dan Rosenberg discovered that the swapexit xfs ioctl did not correctly check file permissions. A local attacker could exploit this to read from write-only files, leading to a loss of privacy. (CVE-2010-2226) Gael Delalleu, Rafal Wojtczuk, and Brad Spengler discovered that the memory manager did not properly handle when applications grow stacks into adjacent memory regi

CVE-2010-2963 [MEDIUM] kernel: v4l: VIDIOCSMICROCODE arbitrary write kernel: v4l: VIDIOCSMICROCODE arbitrary write drivers/media/video/v4l2-compat-ioctl32.c in the Video4Linux (V4L) implementation in the Linux kernel before 2.6.36 on 64-bit platforms does not validate the destination of a memory copy operation, which allows local users to write to arbitrary kernel memory locations, and consequently gain privileges, via a VIDIOCSTUNER ioctl call on a /dev/video device, followed by a VIDIOCSMICROCODE ioctl call on this device. A vulnerability was discovered in the 32-bit compatibility code for the VIDIOCSMICROCODE IOCTL (Input/Output Control) in the Video4Linux implementation. It does not affect Red Hat Enterprise Linux 5, but as a preventive measure, this update removes the code. Red Hat would like to thank Kees Cook for reporting this vulnerability. Stat

CVE-2010-2525 [MEDIUM] Linux kernel vulnerabilities Title: Linux kernel vulnerabilities Summary: Multiple security issues fixed. Dan Rosenberg discovered that the RDS network protocol did not correctly check certain parameters. A local attacker could exploit this gain root privileges. (CVE-2010-3904) Al Viro discovered a race condition in the TTY driver. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2009-4895) Dan Rosenberg discovered that the MOVE_EXT ext4 ioctl did not correctly check file permissions. A local attacker could overwrite append-only files, leading to potential data loss. (CVE-2010-2066) Dan Rosenberg discovered that the swapexit xfs ioctl did not correctly check file permissions. A local attacker could exploit this to read from write-only files, leading to a loss of privac

CVE-2010-2963 [MEDIUM] CWE-20 GHSA-7276-wmh7-g227: drivers/media/video/v4l2-compat-ioctl32 drivers/media/video/v4l2-compat-ioctl32.c in the Video4Linux (V4L) implementation in the Linux kernel before 2.6.36 on 64-bit platforms does not validate the destination of a memory copy operation, which allows local users to write to arbitrary kernel memory locations, and consequently gain privileges, via a VIDIOCSTUNER ioctl call on a /dev/video device, followed by a VIDIOCSMICROCODE ioctl call on this device.

CVE-2010-2963 [MEDIUM] x86/entry: Add STACKLEAK erasing the kernel stack at the end of syscalls x86/entry: Add STACKLEAK erasing the kernel stack at the end of syscalls The STACKLEAK feature (initially developed by PaX Team) has the following benefits: 1. Reduces the information that can be revealed through kernel stack leak bugs. The idea of erasing the thread stack at the end of syscalls is similar to CONFIG_PAGE_POISONING and memzero_explicit() in kernel crypto, which all comply with FDP_RIP.2 (Full Residual Information Protection) of the Common Criteria standard. 2. Blocks some uninitialized stack variable attacks (e.g. CVE-2017-17712, CVE-2010-2963). That kind of bugs should be killed by improving C compilers in future, which might take a long time. This commit introduces the code filling the used part of the kernel stack with a poison value before returning to userspace. Fu

CVE-2010-2963 [MEDIUM] Linux Kernel 2.6.36 - VIDIOCSMICROCODE IOCTL Local Memory Overwrite Linux Kernel 2.6.36 - VIDIOCSMICROCODE IOCTL Local Memory Overwrite --- // source: https://www.securityfocus.com/bid/44242/info /* * CVE-2010-2963 * Arbitrary write memory write via v4l1 compat ioctl. * Kees Cook * * greets to drosenberg, spender, taviso */ #define _GNU_SOURCE #include #include #include #include #include #include "exp_framework.h" #include #include #include #include #include #include #include #include #include #include struct cap_header_t { uint32_t version; int pid; }; #define DEVICE "/dev/video0" struct exploit_state *exp_state; char *desc = "Vyakarana: Linux v4l1 compat ioctl arbitrary memory write"; int requires_null_page = 0; int built = 0; int super_memcpy(unsigned long destination, void *source, int length) { struct video_code vc = { }; struct video_tuner

CVE-2010-2963 [MEDIUM] CVE-2010-2963 kernel: v4l: VIDIOCSMICROCODE arbitrary write [mrg-1.3] CVE-2010-2963 kernel: v4l: VIDIOCSMICROCODE arbitrary write [mrg-1.3] The VIDIOCSMICROCODE is used only on this driver, and it requires some special program to upload a firmware, and a firmware blog. This one is enabled at MRG: $ grep -i STRA MRG/configs/kernel-2.6.33.7-rt29-mrg45-x86_64-rt* MRG/configs/kernel-2.6.33.7-rt29-mrg45-x86_64-rt.config:CONFIG_VIDEO_STRADIS=m MRG/configs/kernel-2.6.33.7-rt29-mrg45-x86_64-rtdebug.config:CONFIG_VIDEO_STRADIS=m MRG/configs/kernel-2.6.33.7-rt29-mrg45-x86_64-rttrace.config:CONFIG_VIDEO_STRADIS=m MRG/configs/kernel-2.6.33.7-rt29-mrg45-x86_64-rtvanilla.config:CONFIG_VIDEO_STRADIS=m Do you have any user using it and/or any hardware for testing, and the firmware files/userspace program to work with? We're removing this driver from kernel, as we couldn

CVE-2010-2963 [MEDIUM] CVE-2010-2963 kernel: v4l: VIDIOCSMICROCODE arbitrary write [rhel-5.5.z] CVE-2010-2963 kernel: v4l: VIDIOCSMICROCODE arbitrary write [rhel-5.5.z] Ok, only Stradis driver actually uses it. I doubt that stradis still work nowadays, and it is not compiled on RHEL5/RHEL6. Need to check mrg. Patch is as simple as remove the compat bits for this ioctl. Discussion: (In reply to comment #1) > Ok, only Stradis driver actually uses it. I doubt that stradis still work > nowadays, and it is not compiled on RHEL5/RHEL6. Well in that case we may close this as notabug, right Eugene? --- (In reply to comment #2) > (In reply to comment #1) > > Ok, only Stradis driver actually uses it. I doubt that stradis still work > > nowadays, and it is not compiled on RHEL5/RHEL6. > > Well in that case we may close this as notabug, right Eugene? No, we can't. The v4l2-compat layer is

CVE-2010-2963 [MEDIUM] CVE-2010-2963 kernel: v4l: VIDIOCSMICROCODE arbitrary write CVE-2010-2963 kernel: v4l: VIDIOCSMICROCODE arbitrary write The ioctl32 v4l1 compat code for VIDIOCSMICROCODE does not check the destination buffer for a copy_from_user() call, which allows anyone with access to a v4l device to write to arbitrary kernel memory locations. This allocates the memory and uses a compat pointer for the copy. Acknowledgements: Red Hat would like to thank Kees Cook for reporting this issue. Discussion: Introduced in eb4eeccc (v2.6.18-rc4), also see in 92f45bad (v2.6.29-rc1). --- Public demo..: http://www.youtube.com/watch?v=CLxpae-M7Js --- Ok, only Stradis driver actually uses it. I doubt that stradis still work nowadays, and it is not compiled on RHEL5/RHEL6. Need to check mrg. Patch is as simple as remove the compat bits for this ioctl. --- Statement: