[kernel/f17] CVE-2012-0957: uts: stack memory leak in UNAME26 (rhbz 862877 864824)
Josh Boyer
jwboyer at fedoraproject.org
Mon Oct 22 13:48:39 UTC 2012
commit 8431cbd968ea89e493b724c9e4852fa6428ead77
Author: Josh Boyer <jwboyer at redhat.com>
Date: Mon Oct 22 09:47:05 2012 -0400
CVE-2012-0957: uts: stack memory leak in UNAME26 (rhbz 862877 864824)
fix-stack-memory-content-leak-via-UNAME26.patch | 98 +++++++++++++++++++++++
kernel.spec | 7 ++
2 files changed, 105 insertions(+), 0 deletions(-)
---
diff --git a/fix-stack-memory-content-leak-via-UNAME26.patch b/fix-stack-memory-content-leak-via-UNAME26.patch
new file mode 100644
index 0000000..5121ca0
--- /dev/null
+++ b/fix-stack-memory-content-leak-via-UNAME26.patch
@@ -0,0 +1,98 @@
+From 2702b1526c7278c4d65d78de209a465d4de2885e Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook at chromium.org>
+Date: Fri, 19 Oct 2012 13:56:51 -0700
+Subject: [PATCH 1/2] kernel/sys.c: fix stack memory content leak via UNAME26
+
+Calling uname() with the UNAME26 personality set allows a leak of kernel
+stack contents. This fixes it by defensively calculating the length of
+copy_to_user() call, making the len argument unsigned, and initializing
+the stack buffer to zero (now technically unneeded, but hey, overkill).
+
+CVE-2012-0957
+
+Reported-by: PaX Team <pageexec at freemail.hu>
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Cc: Andi Kleen <ak at linux.intel.com>
+Cc: PaX Team <pageexec at freemail.hu>
+Cc: Brad Spengler <spender at grsecurity.net>
+Cc: <stable at vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ kernel/sys.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/kernel/sys.c b/kernel/sys.c
+index c5cb5b9..01865c6 100644
+--- a/kernel/sys.c
++++ b/kernel/sys.c
+@@ -1265,15 +1265,16 @@ DECLARE_RWSEM(uts_sem);
+ * Work around broken programs that cannot handle "Linux 3.0".
+ * Instead we map 3.x to 2.6.40+x, so e.g. 3.0 would be 2.6.40
+ */
+-static int override_release(char __user *release, int len)
++static int override_release(char __user *release, size_t len)
+ {
+ int ret = 0;
+- char buf[65];
+
+ if (current->personality & UNAME26) {
+- char *rest = UTS_RELEASE;
++ const char *rest = UTS_RELEASE;
++ char buf[65] = { 0 };
+ int ndots = 0;
+ unsigned v;
++ size_t copy;
+
+ while (*rest) {
+ if (*rest == '.' && ++ndots >= 3)
+@@ -1283,8 +1284,9 @@ static int override_release(char __user *release, int len)
+ rest++;
+ }
+ v = ((LINUX_VERSION_CODE >> 8) & 0xff) + 40;
+- snprintf(buf, len, "2.6.%u%s", v, rest);
+- ret = copy_to_user(release, buf, len);
++ copy = min(sizeof(buf), max_t(size_t, 1, len));
++ copy = scnprintf(buf, copy, "2.6.%u%s", v, rest);
++ ret = copy_to_user(release, buf, copy + 1);
+ }
+ return ret;
+ }
+--
+1.7.12.1
+
+
+From 31fd84b95eb211d5db460a1dda85e004800a7b52 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook at chromium.org>
+Date: Fri, 19 Oct 2012 18:45:53 -0700
+Subject: [PATCH 2/2] use clamp_t in UNAME26 fix
+
+The min/max call needed to have explicit types on some architectures
+(e.g. mn10300). Use clamp_t instead to avoid the warning:
+
+ kernel/sys.c: In function 'override_release':
+ kernel/sys.c:1287:10: warning: comparison of distinct pointer types lacks a cast [enabled by default]
+
+Reported-by: Fengguang Wu <fengguang.wu at intel.com>
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ kernel/sys.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/sys.c b/kernel/sys.c
+index 01865c6..e6e0ece 100644
+--- a/kernel/sys.c
++++ b/kernel/sys.c
+@@ -1284,7 +1284,7 @@ static int override_release(char __user *release, size_t len)
+ rest++;
+ }
+ v = ((LINUX_VERSION_CODE >> 8) & 0xff) + 40;
+- copy = min(sizeof(buf), max_t(size_t, 1, len));
++ copy = clamp_t(size_t, len, 1, sizeof(buf));
+ copy = scnprintf(buf, copy, "2.6.%u%s", v, rest);
+ ret = copy_to_user(release, buf, copy + 1);
+ }
+--
+1.7.12.1
+
diff --git a/kernel.spec b/kernel.spec
index 2c2a1ae..853299d 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -756,6 +756,9 @@ Patch22074: mac80211-connect-with-HT20-if-HT40-is-not-permitted.patch
#rhbz 856863
Patch22075: rt2x00-usb-fix-reset-resume.patch
+#rhbz 862877 864824 CVE-2012-0957
+Patch22076: fix-stack-memory-content-leak-via-UNAME26.patch
+
Patch22072: linux-3.6-arm-build-fixup.patch
# END OF PATCH DEFINITIONS
@@ -1465,6 +1468,9 @@ ApplyPatch mac80211-connect-with-HT20-if-HT40-is-not-permitted.patch
#rhbz 856863
ApplyPatch rt2x00-usb-fix-reset-resume.patch
+#rhbz 862877 864824 CVE-2012-0957
+ApplyPatch fix-stack-memory-content-leak-via-UNAME26.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2329,6 +2335,7 @@ fi
# '-'
%changelog
* Mon Oct 22 2012 Josh Boyer <jwboyer at redhat.com>
+- CVE-2012-0957: uts: stack memory leak in UNAME26 (rhbz 862877 864824)
- Fix rt2x00 usb reset resume (rhbz 856863)
- Linux v3.6.3
More information about the scm-commits
mailing list