[kernel-sec-discuss] r5273 - active

Ben Hutchings benh at moszumanska.debian.org
Tue May 9 02:48:26 UTC 2017


Author: benh
Date: 2017-05-09 02:48:26 +0000 (Tue, 09 May 2017)
New Revision: 5273

Modified:
   active/CVE-2017-0605
Log:
Add analysis and upstream commit reference for CVE-2017-0605

Modified: active/CVE-2017-0605
===================================================================
--- active/CVE-2017-0605	2017-05-09 02:47:04 UTC (rev 5272)
+++ active/CVE-2017-0605	2017-05-09 02:48:26 UTC (rev 5273)
@@ -2,8 +2,18 @@
 References:
  https://source.android.com/security/bulletin/2017-05-01
  https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=2161ae9a70b12cf18ac8e5952a20161ffbccb477
+ https://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace.git/commit?id=e09e28671cda63e6308b31798b997639120e2a21
 Notes:
  jmm> From Android security bulletin, not sure if it's also an issue with mainline
+ bwh> trace_find_cmdline() copies a command name out of the cache
+ bwh> (saved_cmdlines) that was first copied from task_struct::comm.
+ bwh> That first copy is done without holding the task lock, which can
+ bwh> result in reading a garbled name.  However, it is also done with
+ bwh> memcpy(), so it always includes the last byte which is always
+ bwh> written as 0.  So this seems like a theoretical issue, but maybe
+ bwh> I'm missing something.  Also, the fix sets a maximum length 1
+ bwh> byte too short.
+ bwh> The upstream commit message seems to agree with this.
 Bugs:
 upstream:
 4.9-upstream-stable:




More information about the kernel-sec-discuss mailing list