CVE-2010-2963
Published: 19 October 2010
drivers/media/video/v4l2-compat-ioctl32.c in the Video4Linux (V4L) implementation in the Linux kernel before 2.6.36 on 64-bit platforms does not validate the destination of a memory copy operation, which allows local users to write to arbitrary kernel memory locations, and consequently gain privileges, via a VIDIOCSTUNER ioctl call on a /dev/video device, followed by a VIDIOCSMICROCODE ioctl call on this device.
From the Ubuntu security team
Kees Cook discovered that the V4L1 32bit compat interface did not correctly validate certain parameters. A local attacker on a 64bit system with access to a video device could exploit this to gain root privileges.
Priority
Medium
Status
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2963
- https://usn.ubuntu.com/usn/usn-1000-1
- https://usn.ubuntu.com/usn/usn-1074-1
- https://usn.ubuntu.com/usn/usn-1074-2
- https://usn.ubuntu.com/usn/usn-1083-1
- https://usn.ubuntu.com/usn/usn-1093-1
- https://usn.ubuntu.com/usn/usn-1119-1
- NVD
- Launchpad
- Debian