[kernel] r19443 - in dists/sid/linux/debian: . patches patches/bugfix/all
Ben Hutchings
benh at alioth.debian.org
Sun Oct 21 03:28:01 UTC 2012
Author: benh
Date: Sun Oct 21 03:27:59 2012
New Revision: 19443
Log:
kernel/sys.c: fix stack memory content leak via UNAME26 (CVE-2012-0957)
Added:
dists/sid/linux/debian/patches/bugfix/all/kernel-sys.c-fix-stack-memory-content-leak-via-UNAME.patch
dists/sid/linux/debian/patches/bugfix/all/use-clamp_t-in-UNAME26-fix.patch
Modified:
dists/sid/linux/debian/changelog
dists/sid/linux/debian/patches/series
Modified: dists/sid/linux/debian/changelog
==============================================================================
--- dists/sid/linux/debian/changelog Sun Oct 21 03:15:40 2012 (r19442)
+++ dists/sid/linux/debian/changelog Sun Oct 21 03:27:59 2012 (r19443)
@@ -96,6 +96,7 @@
* [x86] storvsc: Account for in-transit packets in the RESET path
* fs: handle failed audit_log_start properly
* fs: prevent use after free in auditing when symlink following was denied
+ * kernel/sys.c: fix stack memory content leak via UNAME26 (CVE-2012-0957)
-- Ben Hutchings <ben at decadent.org.uk> Sat, 29 Sep 2012 14:19:46 +0200
Added: dists/sid/linux/debian/patches/bugfix/all/kernel-sys.c-fix-stack-memory-content-leak-via-UNAME.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux/debian/patches/bugfix/all/kernel-sys.c-fix-stack-memory-content-leak-via-UNAME.patch Sun Oct 21 03:27:59 2012 (r19443)
@@ -0,0 +1,60 @@
+From: Kees Cook <keescook at chromium.org>
+Date: Fri, 19 Oct 2012 13:56:51 -0700
+Subject: [1/2] kernel/sys.c: fix stack memory content leak via UNAME26
+
+commit 2702b1526c7278c4d65d78de209a465d4de2885e upstream.
+
+Calling uname() with the UNAME26 personality set allows a leak of kernel
+stack contents. This fixes it by defensively calculating the length of
+copy_to_user() call, making the len argument unsigned, and initializing
+the stack buffer to zero (now technically unneeded, but hey, overkill).
+
+CVE-2012-0957
+
+Reported-by: PaX Team <pageexec at freemail.hu>
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Cc: Andi Kleen <ak at linux.intel.com>
+Cc: PaX Team <pageexec at freemail.hu>
+Cc: Brad Spengler <spender at grsecurity.net>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ kernel/sys.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/kernel/sys.c b/kernel/sys.c
+index c5cb5b9..01865c6 100644
+--- a/kernel/sys.c
++++ b/kernel/sys.c
+@@ -1265,15 +1265,16 @@ DECLARE_RWSEM(uts_sem);
+ * Work around broken programs that cannot handle "Linux 3.0".
+ * Instead we map 3.x to 2.6.40+x, so e.g. 3.0 would be 2.6.40
+ */
+-static int override_release(char __user *release, int len)
++static int override_release(char __user *release, size_t len)
+ {
+ int ret = 0;
+- char buf[65];
+
+ if (current->personality & UNAME26) {
+- char *rest = UTS_RELEASE;
++ const char *rest = UTS_RELEASE;
++ char buf[65] = { 0 };
+ int ndots = 0;
+ unsigned v;
++ size_t copy;
+
+ while (*rest) {
+ if (*rest == '.' && ++ndots >= 3)
+@@ -1283,8 +1284,9 @@ static int override_release(char __user *release, int len)
+ rest++;
+ }
+ v = ((LINUX_VERSION_CODE >> 8) & 0xff) + 40;
+- snprintf(buf, len, "2.6.%u%s", v, rest);
+- ret = copy_to_user(release, buf, len);
++ copy = min(sizeof(buf), max_t(size_t, 1, len));
++ copy = scnprintf(buf, copy, "2.6.%u%s", v, rest);
++ ret = copy_to_user(release, buf, copy + 1);
+ }
+ return ret;
+ }
Added: dists/sid/linux/debian/patches/bugfix/all/use-clamp_t-in-UNAME26-fix.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux/debian/patches/bugfix/all/use-clamp_t-in-UNAME26-fix.patch Sun Oct 21 03:27:59 2012 (r19443)
@@ -0,0 +1,32 @@
+From: Kees Cook <keescook at chromium.org>
+Date: Fri, 19 Oct 2012 18:45:53 -0700
+Subject: [2/2] use clamp_t in UNAME26 fix
+
+commit 31fd84b95eb211d5db460a1dda85e004800a7b52 upstream.
+
+The min/max call needed to have explicit types on some architectures
+(e.g. mn10300). Use clamp_t instead to avoid the warning:
+
+ kernel/sys.c: In function 'override_release':
+ kernel/sys.c:1287:10: warning: comparison of distinct pointer types lacks a cast [enabled by default]
+
+Reported-by: Fengguang Wu <fengguang.wu at intel.com>
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ kernel/sys.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/sys.c b/kernel/sys.c
+index 01865c6..e6e0ece 100644
+--- a/kernel/sys.c
++++ b/kernel/sys.c
+@@ -1284,7 +1284,7 @@ static int override_release(char __user *release, size_t len)
+ rest++;
+ }
+ v = ((LINUX_VERSION_CODE >> 8) & 0xff) + 40;
+- copy = min(sizeof(buf), max_t(size_t, 1, len));
++ copy = clamp_t(size_t, len, 1, sizeof(buf));
+ copy = scnprintf(buf, copy, "2.6.%u%s", v, rest);
+ ret = copy_to_user(release, buf, copy + 1);
+ }
Modified: dists/sid/linux/debian/patches/series
==============================================================================
--- dists/sid/linux/debian/patches/series Sun Oct 21 03:15:40 2012 (r19442)
+++ dists/sid/linux/debian/patches/series Sun Oct 21 03:27:59 2012 (r19443)
@@ -404,3 +404,5 @@
debian/hid-avoid-ABI-change-in-3.2.31.patch
debian/xfrm-avoid-ABI-change-in-3.2.31.patch
bugfix/x86/SCSI-storvsc-Account-for-in-transit-packets-in-the-R.patch
+bugfix/all/kernel-sys.c-fix-stack-memory-content-leak-via-UNAME.patch
+bugfix/all/use-clamp_t-in-UNAME26-fix.patch
More information about the Kernel-svn-changes
mailing list