[kernel-sec-discuss] r5618 - active retired

Salvatore Bonaccorso carnil at moszumanska.debian.org
Fri Oct 6 21:04:44 UTC 2017 

Author: carnil
Date: 2017-10-06 21:04:44 +0000 (Fri, 06 Oct 2017)
New Revision: 5618

Added:
   retired/CVE-2017-0605
Removed:
   active/CVE-2017-0605
Log:
Move CVE-2017-0605 to retired, add note for REJECTED status

Deleted: active/CVE-2017-0605
===================================================================
--- active/CVE-2017-0605	2017-10-06 21:04:41 UTC (rev 5617)
+++ active/CVE-2017-0605	2017-10-06 21:04:44 UTC (rev 5618)
@@ -1,25 +0,0 @@
-Description: trace: resolve stack corruption due to string copy
-References:
- https://source.android.com/security/bulletin/2017-05-01
- https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=2161ae9a70b12cf18ac8e5952a20161ffbccb477
- https://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace.git/commit?id=e09e28671cda63e6308b31798b997639120e2a21
-Notes:
- jmm> From Android security bulletin, not sure if it's also an issue with mainline
- bwh> trace_find_cmdline() copies a command name out of the cache
- bwh> (saved_cmdlines) that was first copied from task_struct::comm.
- bwh> That first copy is done without holding the task lock, which can
- bwh> result in reading a garbled name.  However, it is also done with
- bwh> memcpy(), so it always includes the last byte which is always
- bwh> written as 0.  So this seems like a theoretical issue, but maybe
- bwh> I'm missing something.  Also, the fix sets a maximum length 1
- bwh> byte too short.
- bwh> The upstream commit message seems to agree with this.
-Bugs:
-upstream: released (4.12-rc1) [e09e28671cda63e6308b31798b997639120e2a21]
-4.9-upstream-stable: needed
-3.16-upstream-stable: released (3.16.44) [a1141b19b23a0605d46f3fab63fd2d76207096c4]
-3.2-upstream-stable: released (3.2.89) [e39e64193a8a611d11d4c62579a7246c1af70d1c]
-sid: released (4.9.30-1) [bugfix/all/tracing-Use-strlcpy-instead-of-strcpy-in-__trace_fin.patch]
-4.9-stretch-security: N/A "Fixed before branching point"
-3.16-jessie-security: released (3.16.43-2+deb8u1) [bugfix/all/tracing-Use-strlcpy-instead-of-strcpy-in-__trace_fin.patch]
-3.2-wheezy-security: released (3.2.89-1)

Copied: retired/CVE-2017-0605 (from rev 5617, active/CVE-2017-0605)
===================================================================
--- retired/CVE-2017-0605	                        (rev 0)
+++ retired/CVE-2017-0605	2017-10-06 21:04:44 UTC (rev 5618)
@@ -0,0 +1,29 @@
+Description: trace: resolve stack corruption due to string copy
+References:
+ https://source.android.com/security/bulletin/2017-05-01
+ https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=2161ae9a70b12cf18ac8e5952a20161ffbccb477
+ https://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace.git/commit?id=e09e28671cda63e6308b31798b997639120e2a21
+Notes:
+ jmm> From Android security bulletin, not sure if it's also an issue with mainline
+ bwh> trace_find_cmdline() copies a command name out of the cache
+ bwh> (saved_cmdlines) that was first copied from task_struct::comm.
+ bwh> That first copy is done without holding the task lock, which can
+ bwh> result in reading a garbled name.  However, it is also done with
+ bwh> memcpy(), so it always includes the last byte which is always
+ bwh> written as 0.  So this seems like a theoretical issue, but maybe
+ bwh> I'm missing something.  Also, the fix sets a maximum length 1
+ bwh> byte too short.
+ bwh> The upstream commit message seems to agree with this.
+ carnil> The CVE has been REJECTED, cf.
+ carnil> https://marc.info/?l=oss-security&m=150703005326252&w=2
+ carnil> keeping the entry in 'retired' in case we need to reevaluate/prove
+ carnil> status.
+Bugs:
+upstream: released (4.12-rc1) [e09e28671cda63e6308b31798b997639120e2a21]
+4.9-upstream-stable: needed
+3.16-upstream-stable: released (3.16.44) [a1141b19b23a0605d46f3fab63fd2d76207096c4]
+3.2-upstream-stable: released (3.2.89) [e39e64193a8a611d11d4c62579a7246c1af70d1c]
+sid: released (4.9.30-1) [bugfix/all/tracing-Use-strlcpy-instead-of-strcpy-in-__trace_fin.patch]
+4.9-stretch-security: N/A "Fixed before branching point"
+3.16-jessie-security: released (3.16.43-2+deb8u1) [bugfix/all/tracing-Use-strlcpy-instead-of-strcpy-in-__trace_fin.patch]
+3.2-wheezy-security: released (3.2.89-1)

More information about the kernel-sec-discuss mailing list