CVE-2010-4157 - Integer overflow in the ioc_general function in drivers/scsi/gdth.c in the Linux kernel before 2.6.3

CVE-2010-4157

Summary

Integer overflow in the ioc_general function in drivers/scsi/gdth.c in the Linux kernel before 2.6.36.1 on 64-bit platforms allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a large argument in an ioctl call.

References

Vulnerable Configurations

cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:x64:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:x64:*
cpe:2.3:o:linux:linux_kernel:2.6.36:*:*:*:*:*:x64:*
cpe:2.3:o:linux:linux_kernel:2.6.36:*:*:*:*:*:x64:*
cpe:2.3:o:fedoraproject:fedora:13:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:13:*:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_server:10:sp3:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_server:10:sp3:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_desktop:11:sp1:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_desktop:11:sp1:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_server:11:sp1:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_server:11:sp1:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_server:9:*:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_server:9:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:opensuse:11.2:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:opensuse:11.2:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:opensuse:11.3:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:opensuse:11.3:*:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_desktop:10:sp3:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_desktop:10:sp3:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_software_development_kit:10:sp3:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_software_development_kit:10:sp3:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_real_time_extension:11:sp1:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_real_time_extension:11:sp1:*:*:*:*:*:*

CVSS

Base:	6.2 (as of 13-02-2023 - 04:27)
Impact:
Exploitability:

CWE

CWE-190

CAPEC

Forced Integer Overflow
This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.

Access

Vector	Complexity	Authentication
LOCAL	HIGH	NONE

Impact

Confidentiality	Integrity	Availability
COMPLETE	COMPLETE	COMPLETE

cvss-vector via4

AV:L/AC:H/Au:N/C:C/I:C/A:C

redhat via4

advisories

rhsa
id RHSA-2010:0958
rhsa
id RHSA-2011:0004
rhsa
id RHSA-2011:0162

rpms

kernel-rt-0:2.6.33.7-rt29.47.el5rt
kernel-rt-debug-0:2.6.33.7-rt29.47.el5rt
kernel-rt-debug-debuginfo-0:2.6.33.7-rt29.47.el5rt
kernel-rt-debug-devel-0:2.6.33.7-rt29.47.el5rt
kernel-rt-debuginfo-0:2.6.33.7-rt29.47.el5rt
kernel-rt-debuginfo-common-0:2.6.33.7-rt29.47.el5rt
kernel-rt-devel-0:2.6.33.7-rt29.47.el5rt
kernel-rt-doc-0:2.6.33.7-rt29.47.el5rt
kernel-rt-trace-0:2.6.33.7-rt29.47.el5rt
kernel-rt-trace-debuginfo-0:2.6.33.7-rt29.47.el5rt
kernel-rt-trace-devel-0:2.6.33.7-rt29.47.el5rt
kernel-rt-vanilla-0:2.6.33.7-rt29.47.el5rt
kernel-rt-vanilla-debuginfo-0:2.6.33.7-rt29.47.el5rt
kernel-rt-vanilla-devel-0:2.6.33.7-rt29.47.el5rt
perf-0:2.6.33.7-rt29.47.el5rt
perf-debuginfo-0:2.6.33.7-rt29.47.el5rt
kernel-0:2.6.18-194.32.1.el5
kernel-PAE-0:2.6.18-194.32.1.el5
kernel-PAE-debuginfo-0:2.6.18-194.32.1.el5
kernel-PAE-devel-0:2.6.18-194.32.1.el5
kernel-debug-0:2.6.18-194.32.1.el5
kernel-debug-debuginfo-0:2.6.18-194.32.1.el5
kernel-debug-devel-0:2.6.18-194.32.1.el5
kernel-debuginfo-0:2.6.18-194.32.1.el5
kernel-debuginfo-common-0:2.6.18-194.32.1.el5
kernel-devel-0:2.6.18-194.32.1.el5
kernel-doc-0:2.6.18-194.32.1.el5
kernel-headers-0:2.6.18-194.32.1.el5
kernel-kdump-0:2.6.18-194.32.1.el5
kernel-kdump-debuginfo-0:2.6.18-194.32.1.el5
kernel-kdump-devel-0:2.6.18-194.32.1.el5
kernel-xen-0:2.6.18-194.32.1.el5
kernel-xen-debuginfo-0:2.6.18-194.32.1.el5
kernel-xen-devel-0:2.6.18-194.32.1.el5
kernel-0:2.6.9-89.35.1.EL
kernel-debuginfo-0:2.6.9-89.35.1.EL
kernel-devel-0:2.6.9-89.35.1.EL
kernel-doc-0:2.6.9-89.35.1.EL
kernel-hugemem-0:2.6.9-89.35.1.EL
kernel-hugemem-devel-0:2.6.9-89.35.1.EL
kernel-largesmp-0:2.6.9-89.35.1.EL
kernel-largesmp-devel-0:2.6.9-89.35.1.EL
kernel-smp-0:2.6.9-89.35.1.EL
kernel-smp-devel-0:2.6.9-89.35.1.EL
kernel-xenU-0:2.6.9-89.35.1.EL
kernel-xenU-devel-0:2.6.9-89.35.1.EL

refmap via4

bid	44648
bugtraq	20111013 VMSA-2011-0012 VMware ESXi and ESX updates to third party libraries and ESX Service Console
confirm	http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=f63ae56e4e97fb12053590e41a4fa59e7daa74a4 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.36.1 http://www.vmware.com/security/advisories/VMSA-2011-0012.html https://bugzilla.redhat.com/show_bug.cgi?id=651147
fedora	FEDORA-2010-18983
mlist	[linux-scsi] 20101008 [patch] gdth: integer overflow in ioctl [oss-security] 20101108 CVE request: kernel: gdth: integer overflow in ioc_general() [oss-security] 20101108 Re: CVE request: kernel: gdth: integer overflow in ioc_general() [oss-security] 20101109 Re: CVE request: kernel: gdth: integer overflow in ioc_general() [oss-security] 20101110 Re: CVE request: kernel: gdth: integer overflow in ioc_general()
secunia	42745 42778 42789 42801 42932 42963 43291 46397
suse	SUSE-SA:2010:060 SUSE-SA:2011:001 SUSE-SA:2011:002 SUSE-SA:2011:004 SUSE-SA:2011:007 SUSE-SA:2011:008
vupen	ADV-2010-3321 ADV-2011-0012 ADV-2011-0024 ADV-2011-0124 ADV-2011-0168 ADV-2011-0298 ADV-2011-0375

Last major update

13-02-2023 - 04:27

Published

10-12-2010 - 19:00

Last modified

13-02-2023 - 04:27