[kernel-sec-discuss] r5273 - active
Ben Hutchings
benh at moszumanska.debian.org
Tue May 9 02:48:26 UTC 2017
Author: benh
Date: 2017-05-09 02:48:26 +0000 (Tue, 09 May 2017)
New Revision: 5273
Modified:
active/CVE-2017-0605
Log:
Add analysis and upstream commit reference for CVE-2017-0605
Modified: active/CVE-2017-0605
===================================================================
--- active/CVE-2017-0605 2017-05-09 02:47:04 UTC (rev 5272)
+++ active/CVE-2017-0605 2017-05-09 02:48:26 UTC (rev 5273)
@@ -2,8 +2,18 @@
References:
https://source.android.com/security/bulletin/2017-05-01
https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=2161ae9a70b12cf18ac8e5952a20161ffbccb477
+ https://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace.git/commit?id=e09e28671cda63e6308b31798b997639120e2a21
Notes:
jmm> From Android security bulletin, not sure if it's also an issue with mainline
+ bwh> trace_find_cmdline() copies a command name out of the cache
+ bwh> (saved_cmdlines) that was first copied from task_struct::comm.
+ bwh> That first copy is done without holding the task lock, which can
+ bwh> result in reading a garbled name. However, it is also done with
+ bwh> memcpy(), so it always includes the last byte which is always
+ bwh> written as 0. So this seems like a theoretical issue, but maybe
+ bwh> I'm missing something. Also, the fix sets a maximum length 1
+ bwh> byte too short.
+ bwh> The upstream commit message seems to agree with this.
Bugs:
upstream:
4.9-upstream-stable:
More information about the kernel-sec-discuss
mailing list