• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Linux Kernel Broadcom 5820 Cryptonet Driver Integer Overflow Vulnerability

Severity: MODERATE

Description:

The Broadcom Cryptonet BCM5820 is a hardware cryptography accelerator device. The bcm5820 driver module for Linux implements an interface to use this hardware.

It is reported that the bcm5820 Linux kernel driver contains an integer overflow vulnerability.

The driver contains a function ubsec_ioctl() which is used to setup operating parameters for the driver. This function takes user-supplied data and copies it into kernel-space. When copying this data, a user-supplied length value is used in a calculation. This calculation could cause an integer overflow when allocating buffer space. The offending code is located in drivers/crypto/bcm/dispatch.c:
pkey_buf = (unsigned char *) kmalloc((4096+add_dsa_buf_bytes),GFP_KERNEL|GFP_ATOMIC);

add_dsa_buf_bytes is derived from user-supplied data in an argument to ubsec_keysetup(). If a small negative number is passed in this function via ubsec_ioctl(), add_dsa_buf_bytes plus 4096 could result in a small number being passed to kmalloc().

The resulting overly small kernel buffer will then be used in another buffer copying operation. This will then reportedly result in overwriting kernel memory.

This vulnerability could lead to a system crash, or possible code execution in the context of the kernel.

This driver is not present in the vanilla Linux kernel, nor is it standard in most distributions of Linux. Redhat 8, with Linux kernel 2.4.20 is confirmed to include the vulnerable driver, but others are also potentially vulnerable.

Affected Products:

• RedHat Desktop 3.0.0
• RedHat Enterprise Linux AS 2.1
• RedHat Enterprise Linux AS 2.1 IA64
• RedHat Enterprise Linux AS 3
• RedHat Enterprise Linux ES 2.1
• RedHat Enterprise Linux ES 2.1 IA64
• RedHat Enterprise Linux ES 3
• RedHat Enterprise Linux WS 2.1
• RedHat Enterprise Linux WS 2.1 IA64
• RedHat Enterprise Linux WS 3
• RedHat Fedora Core1
• RedHat Linux 8.0.0
• RedHat Linux 8.0.0 i386
• RedHat Linux 8.0.0 i686
• RedHat Linux 9.0.0 i386
• RedHat kernel-2.4.20-8.athlon.rpm
• RedHat kernel-2.4.20-8.i386.rpm
• RedHat kernel-2.4.20-8.i586.rpm
• RedHat kernel-2.4.20-8.i686.rpm
• RedHat kernel-smp-2.4.20-8.athlon.rpm
• RedHat kernel-smp-2.4.20-8.i586.rpm
• RedHat kernel-smp-2.4.20-8.i686.rpm
• RedHat kernel-source-2.4.20-8.i386.rpm

References:

• RedHat: RHSA-2004:549-10 - Updated kernel packages fix security vulnerabilities
• RedHat: RHSA-2005:283-15 - kernel security update

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.