CVE-2013-2596 : Integer overflow in the fb_mmap function in drivers/video/fbmem.c in the Linux k

Integer overflow in the fb_mmap function in drivers/video/fbmem.c in the Linux kernel before 3.8.9, as used in a certain Motorola build of Android 4.1.2 and other products, allows local users to create a read-write memory mapping for the entirety of kernel memory, and consequently gain privileges, via crafted /dev/graphics/fb0 mmap2 system calls, as demonstrated by the Motochopper pwn program.

Published 2013-04-13 02:59:47

Updated 2025-02-07 15:15:13

Source MITRE

View at NVD, CVE.org

Vulnerability category: Overflow

Products affected by CVE-2013-2596

Linux » Linux Kernel
Versions from including (>=) 3.5 and before (<) 3.8.9
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
When used together with: Motorola » Atrix Hd » Version: N/A
When used together with: Motorola » Razr Hd » Version: N/A
When used together with: Motorola » Razr M » Version: N/A
When used together with: Qualcomm » Msm8960 » Version: N/A
Linux » Linux Kernel
Versions from including (>=) 3.1 and before (<) 3.2.45
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
When used together with: Motorola » Atrix Hd » Version: N/A
When used together with: Motorola » Razr Hd » Version: N/A
When used together with: Motorola » Razr M » Version: N/A
When used together with: Qualcomm » Msm8960 » Version: N/A
Linux » Linux Kernel
Versions from including (>=) 3.3 and before (<) 3.4.42
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
When used together with: Motorola » Atrix Hd » Version: N/A
When used together with: Motorola » Razr Hd » Version: N/A
When used together with: Motorola » Razr M » Version: N/A
When used together with: Qualcomm » Msm8960 » Version: N/A
Linux » Linux Kernel
Versions from including (>=) 2.6.12 and before (<) 3.0.75
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
When used together with: Motorola » Atrix Hd » Version: N/A
When used together with: Motorola » Razr Hd » Version: N/A
When used together with: Motorola » Razr M » Version: N/A
When used together with: Qualcomm » Msm8960 » Version: N/A
Motorola » Android » Version: 4.1.2
cpe:2.3:o:motorola:android:4.1.2:*:*:*:*:*:*:*
Matching versions
When used together with: Motorola » Atrix Hd » Version: N/A
When used together with: Motorola » Razr Hd » Version: N/A
When used together with: Motorola » Razr M » Version: N/A
When used together with: Qualcomm » Msm8960 » Version: N/A

CVE-2013-2596 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:

Linux Kernel Integer Overflow Vulnerability

CISA required action:

Apply updates per vendor instructions.

CISA description:

Linux kernel fb_mmap function in drivers/video/fbmem.c contains an integer overflow vulnerability that allows for privilege escalation.

Notes:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fc9bbca8f650e5f738af8806317c0a041a48ae4a; https://nvd.nist.gov/vuln/detail/CVE-2013-2596

Added on 2022-09-15 Action due date 2022-10-06

Exploit prediction scoring system (EPSS) score for CVE-2013-2596

EPSS FAQ

0.18%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 55 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2013-2596

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
6.9	MEDIUM	AV:L/AC:M/Au:N/C:C/I:C/A:C	3.4	10.0	NIST
Access Vector: Local Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-02-07
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	NIST	2024-12-20
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2013-2596

CWE-189

Assigned by: nvd@nist.gov (Primary)
CWE-190 Integer Overflow or Wraparound

The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2013-2596

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=b4cbb197c7e7a68dbad0d491242e3ca67420c13e

kernel/git/torvalds/linux.git - Linux kernel source tree
Patch;Vendor Advisory
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761

Juniper Networks - 2016-10 Security Bulletin: CTPView: Multiple vulnerabilities in CTPView
Third Party Advisory

CVEs referencing this url
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=fc9bbca8f650e5f738af8806317c0a041a48ae4a

kernel/git/torvalds/linux.git - Linux kernel source tree
Exploit;Patch;Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2015-0782.html

RHSA-2015:0782 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=b4cbb197c7e7a68dbad0d491242e3ca67420c13e

Broken Link
http://rhn.redhat.com/errata/RHSA-2015-0803.html

RHSA-2015:0803 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://github.com/torvalds/linux/commit/fc9bbca8f650e5f738af8806317c0a041a48ae4a

vm: convert fb_mmap to vm_iomap_memory() helper · torvalds/linux@fc9bbca · GitHub
Exploit;Patch
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=fc9bbca8f650e5f738af8806317c0a041a48ae4a

Broken Link
https://github.com/torvalds/linux/commit/b4cbb197c7e7a68dbad0d491242e3ca67420c13e

vm: add vm_iomap_memory() helper function · torvalds/linux@b4cbb19 · GitHub
Patch
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.8.9

Mailing List;Release Notes

CVEs referencing this url
http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html

Oracle Linux Bulletin - January 2016
Patch;Third Party Advisory

CVEs referencing this url
http://www.droidrzr.com/index.php/topic/15208-root-motochopper-yet-another-android-root-exploit/

Exploit;Issue Tracking
http://www.droid-life.com/2013/04/09/root-method-released-for-droid-razr-hd-running-android-4-1-2-other-devices-too/

Root Method Released for DROID RAZR HD Running Android 4.1.2, Other Devices Too – Droid Life
Exploit;Issue Tracking;Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2013:176

mandriva.com
Broken Link

CVEs referencing this url
http://forum.xda-developers.com/showthread.php?t=2255491

[Q] Understanding how motochopper works
Exploit
http://rhn.redhat.com/errata/RHSA-2015-0695.html

RHSA-2015:0695 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
http://www.securityfocus.com/bid/59264

Motorola Multiple Devices For Android Local Privilege Escalation Vulnerability
Broken Link;Third Party Advisory;VDB Entry
http://marc.info/?l=linux-kernel&m=136616837923938&w=2

'Device driver memory 'mmap()' function helper cleanup' - MARC
Mailing List;Patch;Third Party Advisory