Bug 54053 (CVE-2004-0229)

Summary: VUL-0: CVE-2004-0229 incorrect usage of fb_copy_cmap in 2.6
Product: [Novell Products] SUSE Security Incidents Reporter: Sebastian Krahmer <krahmer>
Component: IncidentsAssignee: Sebastian Krahmer <krahmer>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-0229: CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Sebastian Krahmer 2004-04-16 17:37:43 UTC 
Date: Thu, 15 Apr 2004 18:34:01 +0100 (BST)
From: Mark J Cox <mjc@redhat.com>
To: vendor-sec@lst.de
Subject: [vendor-sec] CAN-2004-0229 incorrect usage of fb_copy_cmap in 2.6

Looks like local roothole.  See
http://www.kernel.org/pub/linux/kernel/people/akpm/patches/2.6/2.6.5/2.6.5-mm4/b
roken-out/updated-fbmem-patch.patch

Mark
Comment 1 Sebastian Krahmer 2004-04-16 17:37:43 UTC 
<!-- SBZ_reproduce  -->
...
Comment 2 Hubert Mantel 2004-04-16 17:49:18 UTC 
Andrea, can you confirm?
Comment 3 Hubert Mantel 2004-04-16 20:39:17 UTC 
Fix committed to CVS both for 9.1 and SLES9. Not yet activated!
Comment 4 Andreas Jaeger 2004-04-21 15:14:08 UTC 
When can this get activated?
Comment 5 Andrea Arcangeli 2004-04-21 22:09:59 UTC 
Hi, 
 
this was sent by email, the patch is right but with my audit I noticed it's not 
fixing everything, the two patches I posted to linux-kernel fixes the same bug 
in FBIOPUTCMAP too, plus I backported it to 2.4 (it wasn't an immediate 
backport since the code is different there but it apparently had the same bug 
of 2.6). 
 
http://marc.theaimsgroup.com/?l=linux-kernel&m=108251375714485&w=2 
 
The two patches are untested at this time. 
 
Sebastian Krahmer should be uptodate with my two fixes.
Comment 6 Andrea Arcangeli 2004-04-22 07:06:36 UTC 
The comment in fb_set_cmap was the opposite of what the code is really doing, 
unfortunately I've been negatively influence by the buggy comment and I 
overlooked the comment was saying the opposite of reality. 
 
See http://marc.theaimsgroup.com/?l=linux-kernel&m=108258775531539&w=2 
 
So in short the original patch from Arjan is correct, and no change to the 2.4 
kernel is necessary. I apologise for this stupid mistake of being influenced by 
a buggy comment (I even read the implementation but it was too late after 
reading the comment, I read it wrong as the comment showed it to me). 
 
Applying the fix for the comment is low priority for our kernels, it should 
only be applied in mainline. 
 
--- a/drivers/video/fbcmap.c    Fri Feb  6 00:30:15 2004 
+++ b/drivers/video/fbcmap.c    Wed Apr 21 15:40:56 2004 
@@ -207,7 +207,7 @@ 
 /** 
  *     fb_set_cmap - set the colormap 
  *     @cmap: frame buffer colormap structure 
- *     @kspc: boolean, 0 copy local, 1 get_user() function 
+ *     @kspc: boolean, 0 get_user() function , 1 copy local 
  *     @info: frame buffer info structure 
  * 
  *     Sets the colormap @cmap for a screen of device @info.
Comment 7 Hubert Mantel 2004-04-26 20:52:40 UTC 
Kernels have been submitted and are waiting for check in.
Comment 8 Sebastian Krahmer 2004-05-04 17:25:35 UTC 
kernels approved and announced.
Comment 9 Thomas Biege 2009-10-13 20:19:59 UTC 
CVE-2004-0229: CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)