[kernel] r19443 - in dists/sid/linux/debian: . patches patches/bugfix/all

Ben Hutchings benh at alioth.debian.org
Sun Oct 21 03:28:01 UTC 2012 

Author: benh
Date: Sun Oct 21 03:27:59 2012
New Revision: 19443

Log:
kernel/sys.c: fix stack memory content leak via UNAME26 (CVE-2012-0957)

Added:
   dists/sid/linux/debian/patches/bugfix/all/kernel-sys.c-fix-stack-memory-content-leak-via-UNAME.patch
   dists/sid/linux/debian/patches/bugfix/all/use-clamp_t-in-UNAME26-fix.patch
Modified:
   dists/sid/linux/debian/changelog
   dists/sid/linux/debian/patches/series

Modified: dists/sid/linux/debian/changelog
==============================================================================
--- dists/sid/linux/debian/changelog	Sun Oct 21 03:15:40 2012	(r19442)
+++ dists/sid/linux/debian/changelog	Sun Oct 21 03:27:59 2012	(r19443)
@@ -96,6 +96,7 @@
   * [x86] storvsc: Account for in-transit packets in the RESET path
   * fs: handle failed audit_log_start properly
   * fs: prevent use after free in auditing when symlink following was denied
+  * kernel/sys.c: fix stack memory content leak via UNAME26 (CVE-2012-0957)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Sat, 29 Sep 2012 14:19:46 +0200
 

Added: dists/sid/linux/debian/patches/bugfix/all/kernel-sys.c-fix-stack-memory-content-leak-via-UNAME.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux/debian/patches/bugfix/all/kernel-sys.c-fix-stack-memory-content-leak-via-UNAME.patch	Sun Oct 21 03:27:59 2012	(r19443)
@@ -0,0 +1,60 @@
+From: Kees Cook <keescook at chromium.org>
+Date: Fri, 19 Oct 2012 13:56:51 -0700
+Subject: [1/2] kernel/sys.c: fix stack memory content leak via UNAME26
+
+commit 2702b1526c7278c4d65d78de209a465d4de2885e upstream.
+
+Calling uname() with the UNAME26 personality set allows a leak of kernel
+stack contents.  This fixes it by defensively calculating the length of
+copy_to_user() call, making the len argument unsigned, and initializing
+the stack buffer to zero (now technically unneeded, but hey, overkill).
+
+CVE-2012-0957
+
+Reported-by: PaX Team <pageexec at freemail.hu>
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Cc: Andi Kleen <ak at linux.intel.com>
+Cc: PaX Team <pageexec at freemail.hu>
+Cc: Brad Spengler <spender at grsecurity.net>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ kernel/sys.c |   12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/kernel/sys.c b/kernel/sys.c
+index c5cb5b9..01865c6 100644
+--- a/kernel/sys.c
++++ b/kernel/sys.c
+@@ -1265,15 +1265,16 @@ DECLARE_RWSEM(uts_sem);
+  * Work around broken programs that cannot handle "Linux 3.0".
+  * Instead we map 3.x to 2.6.40+x, so e.g. 3.0 would be 2.6.40
+  */
+-static int override_release(char __user *release, int len)
++static int override_release(char __user *release, size_t len)
+ {
+ 	int ret = 0;
+-	char buf[65];
+ 
+ 	if (current->personality & UNAME26) {
+-		char *rest = UTS_RELEASE;
++		const char *rest = UTS_RELEASE;
++		char buf[65] = { 0 };
+ 		int ndots = 0;
+ 		unsigned v;
++		size_t copy;
+ 
+ 		while (*rest) {
+ 			if (*rest == '.' && ++ndots >= 3)
+@@ -1283,8 +1284,9 @@ static int override_release(char __user *release, int len)
+ 			rest++;
+ 		}
+ 		v = ((LINUX_VERSION_CODE >> 8) & 0xff) + 40;
+-		snprintf(buf, len, "2.6.%u%s", v, rest);
+-		ret = copy_to_user(release, buf, len);
++		copy = min(sizeof(buf), max_t(size_t, 1, len));
++		copy = scnprintf(buf, copy, "2.6.%u%s", v, rest);
++		ret = copy_to_user(release, buf, copy + 1);
+ 	}
+ 	return ret;
+ }

Added: dists/sid/linux/debian/patches/bugfix/all/use-clamp_t-in-UNAME26-fix.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux/debian/patches/bugfix/all/use-clamp_t-in-UNAME26-fix.patch	Sun Oct 21 03:27:59 2012	(r19443)
@@ -0,0 +1,32 @@
+From: Kees Cook <keescook at chromium.org>
+Date: Fri, 19 Oct 2012 18:45:53 -0700
+Subject: [2/2] use clamp_t in UNAME26 fix
+
+commit 31fd84b95eb211d5db460a1dda85e004800a7b52 upstream.
+
+The min/max call needed to have explicit types on some architectures
+(e.g. mn10300). Use clamp_t instead to avoid the warning:
+
+  kernel/sys.c: In function 'override_release':
+  kernel/sys.c:1287:10: warning: comparison of distinct pointer types lacks a cast [enabled by default]
+
+Reported-by: Fengguang Wu <fengguang.wu at intel.com>
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ kernel/sys.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/sys.c b/kernel/sys.c
+index 01865c6..e6e0ece 100644
+--- a/kernel/sys.c
++++ b/kernel/sys.c
+@@ -1284,7 +1284,7 @@ static int override_release(char __user *release, size_t len)
+ 			rest++;
+ 		}
+ 		v = ((LINUX_VERSION_CODE >> 8) & 0xff) + 40;
+-		copy = min(sizeof(buf), max_t(size_t, 1, len));
++		copy = clamp_t(size_t, len, 1, sizeof(buf));
+ 		copy = scnprintf(buf, copy, "2.6.%u%s", v, rest);
+ 		ret = copy_to_user(release, buf, copy + 1);
+ 	}

Modified: dists/sid/linux/debian/patches/series
==============================================================================
--- dists/sid/linux/debian/patches/series	Sun Oct 21 03:15:40 2012	(r19442)
+++ dists/sid/linux/debian/patches/series	Sun Oct 21 03:27:59 2012	(r19443)
@@ -404,3 +404,5 @@
 debian/hid-avoid-ABI-change-in-3.2.31.patch
 debian/xfrm-avoid-ABI-change-in-3.2.31.patch
 bugfix/x86/SCSI-storvsc-Account-for-in-transit-packets-in-the-R.patch
+bugfix/all/kernel-sys.c-fix-stack-memory-content-leak-via-UNAME.patch
+bugfix/all/use-clamp_t-in-UNAME26-fix.patch

More information about the Kernel-svn-changes mailing list