[kernel/f17] CVE-2012-0957: uts: stack memory leak in UNAME26 (rhbz 862877 864824)

Josh Boyer jwboyer at fedoraproject.org
Mon Oct 22 13:48:39 UTC 2012 

commit 8431cbd968ea89e493b724c9e4852fa6428ead77
Author: Josh Boyer <jwboyer at redhat.com>
Date:   Mon Oct 22 09:47:05 2012 -0400

    CVE-2012-0957: uts: stack memory leak in UNAME26 (rhbz 862877 864824)

 fix-stack-memory-content-leak-via-UNAME26.patch |   98 +++++++++++++++++++++++
 kernel.spec                                     |    7 ++
 2 files changed, 105 insertions(+), 0 deletions(-)
---
diff --git a/fix-stack-memory-content-leak-via-UNAME26.patch b/fix-stack-memory-content-leak-via-UNAME26.patch
new file mode 100644
index 0000000..5121ca0
--- /dev/null
+++ b/fix-stack-memory-content-leak-via-UNAME26.patch
@@ -0,0 +1,98 @@
+From 2702b1526c7278c4d65d78de209a465d4de2885e Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook at chromium.org>
+Date: Fri, 19 Oct 2012 13:56:51 -0700
+Subject: [PATCH 1/2] kernel/sys.c: fix stack memory content leak via UNAME26
+
+Calling uname() with the UNAME26 personality set allows a leak of kernel
+stack contents.  This fixes it by defensively calculating the length of
+copy_to_user() call, making the len argument unsigned, and initializing
+the stack buffer to zero (now technically unneeded, but hey, overkill).
+
+CVE-2012-0957
+
+Reported-by: PaX Team <pageexec at freemail.hu>
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Cc: Andi Kleen <ak at linux.intel.com>
+Cc: PaX Team <pageexec at freemail.hu>
+Cc: Brad Spengler <spender at grsecurity.net>
+Cc: <stable at vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ kernel/sys.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/kernel/sys.c b/kernel/sys.c
+index c5cb5b9..01865c6 100644
+--- a/kernel/sys.c
++++ b/kernel/sys.c
+@@ -1265,15 +1265,16 @@ DECLARE_RWSEM(uts_sem);
+  * Work around broken programs that cannot handle "Linux 3.0".
+  * Instead we map 3.x to 2.6.40+x, so e.g. 3.0 would be 2.6.40
+  */
+-static int override_release(char __user *release, int len)
++static int override_release(char __user *release, size_t len)
+ {
+ 	int ret = 0;
+-	char buf[65];
+ 
+ 	if (current->personality & UNAME26) {
+-		char *rest = UTS_RELEASE;
++		const char *rest = UTS_RELEASE;
++		char buf[65] = { 0 };
+ 		int ndots = 0;
+ 		unsigned v;
++		size_t copy;
+ 
+ 		while (*rest) {
+ 			if (*rest == '.' && ++ndots >= 3)
+@@ -1283,8 +1284,9 @@ static int override_release(char __user *release, int len)
+ 			rest++;
+ 		}
+ 		v = ((LINUX_VERSION_CODE >> 8) & 0xff) + 40;
+-		snprintf(buf, len, "2.6.%u%s", v, rest);
+-		ret = copy_to_user(release, buf, len);
++		copy = min(sizeof(buf), max_t(size_t, 1, len));
++		copy = scnprintf(buf, copy, "2.6.%u%s", v, rest);
++		ret = copy_to_user(release, buf, copy + 1);
+ 	}
+ 	return ret;
+ }
+-- 
+1.7.12.1
+
+
+From 31fd84b95eb211d5db460a1dda85e004800a7b52 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook at chromium.org>
+Date: Fri, 19 Oct 2012 18:45:53 -0700
+Subject: [PATCH 2/2] use clamp_t in UNAME26 fix
+
+The min/max call needed to have explicit types on some architectures
+(e.g. mn10300). Use clamp_t instead to avoid the warning:
+
+  kernel/sys.c: In function 'override_release':
+  kernel/sys.c:1287:10: warning: comparison of distinct pointer types lacks a cast [enabled by default]
+
+Reported-by: Fengguang Wu <fengguang.wu at intel.com>
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ kernel/sys.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/sys.c b/kernel/sys.c
+index 01865c6..e6e0ece 100644
+--- a/kernel/sys.c
++++ b/kernel/sys.c
+@@ -1284,7 +1284,7 @@ static int override_release(char __user *release, size_t len)
+ 			rest++;
+ 		}
+ 		v = ((LINUX_VERSION_CODE >> 8) & 0xff) + 40;
+-		copy = min(sizeof(buf), max_t(size_t, 1, len));
++		copy = clamp_t(size_t, len, 1, sizeof(buf));
+ 		copy = scnprintf(buf, copy, "2.6.%u%s", v, rest);
+ 		ret = copy_to_user(release, buf, copy + 1);
+ 	}
+-- 
+1.7.12.1
+
diff --git a/kernel.spec b/kernel.spec
index 2c2a1ae..853299d 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -756,6 +756,9 @@ Patch22074: mac80211-connect-with-HT20-if-HT40-is-not-permitted.patch
 #rhbz 856863
 Patch22075: rt2x00-usb-fix-reset-resume.patch
 
+#rhbz 862877 864824 CVE-2012-0957
+Patch22076: fix-stack-memory-content-leak-via-UNAME26.patch
+
 Patch22072: linux-3.6-arm-build-fixup.patch
 
 # END OF PATCH DEFINITIONS
@@ -1465,6 +1468,9 @@ ApplyPatch mac80211-connect-with-HT20-if-HT40-is-not-permitted.patch
 #rhbz 856863
 ApplyPatch rt2x00-usb-fix-reset-resume.patch
 
+#rhbz 862877 864824 CVE-2012-0957
+ApplyPatch fix-stack-memory-content-leak-via-UNAME26.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2329,6 +2335,7 @@ fi
 #              '-'
 %changelog
 * Mon Oct 22 2012 Josh Boyer <jwboyer at redhat.com>
+- CVE-2012-0957: uts: stack memory leak in UNAME26 (rhbz 862877 864824)
 - Fix rt2x00 usb reset resume (rhbz 856863)
 - Linux v3.6.3

More information about the scm-commits mailing list