[linux] 01/01: KEYS: Fix short sprintf buffer in /proc/keys show function (CVE-2016-7042)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Tue Oct 18 04:47:07 UTC 2016 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch jessie-security
in repository linux.

commit 9265f55582b264c6d336785646f069d214c92d34
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Thu Oct 13 22:48:23 2016 +0200

    KEYS: Fix short sprintf buffer in /proc/keys show function (CVE-2016-7042)
---
 debian/changelog                                   |  6 ++
 ...ort-sprintf-buffer-in-proc-keys-show-func.patch | 70 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 77 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index dcf2adc..d82924e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+linux (3.16.36-1+deb8u2) UNRELEASED; urgency=medium
+
+  * KEYS: Fix short sprintf buffer in /proc/keys show function (CVE-2016-7042)
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Tue, 18 Oct 2016 06:39:49 +0200
+
 linux (3.16.36-1+deb8u1) jessie-security; urgency=high
 
   [ Ben Hutchings ]
diff --git a/debian/patches/bugfix/all/KEYS-Fix-short-sprintf-buffer-in-proc-keys-show-func.patch b/debian/patches/bugfix/all/KEYS-Fix-short-sprintf-buffer-in-proc-keys-show-func.patch
new file mode 100644
index 0000000..9041055
--- /dev/null
+++ b/debian/patches/bugfix/all/KEYS-Fix-short-sprintf-buffer-in-proc-keys-show-func.patch
@@ -0,0 +1,70 @@
+From: David Howells <dhowells at redhat.com>
+Date: Thu, 13 Oct 2016 22:38:46 +0200
+Subject: KEYS: Fix short sprintf buffer in /proc/keys show function
+Origin: https://bugzilla.redhat.com/attachment.cgi?id=1200212
+
+Fix a short sprintf buffer in proc_keys_show().  If the gcc stack protector
+is turned on, this can cause a panic due to stack corruption.
+
+The problem is that xbuf[] is not big enough to hold a 64-bit timeout
+rendered as weeks:
+
+	(gdb) p 0xffffffffffffffffULL/(60*60*24*7)
+	$2 = 30500568904943
+
+That's 14 chars plus NUL, not 11 chars plus NUL.
+
+Expand the buffer to 16 chars.
+
+I think the unpatched code apparently works if the stack-protector is not
+enabled because on a 32-bit machine the buffer won't be overflowed and on a
+64-bit machine there's a 64-bit aligned pointer at one side and an int that
+isn't checked again on the other side.
+
+The panic incurred looks something like:
+
+Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff81352ebe
+CPU: 0 PID: 1692 Comm: reproducer Not tainted 4.7.2-201.fc24.x86_64 #1
+Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
+ 0000000000000086 00000000fbbd2679 ffff8800a044bc00 ffffffff813d941f
+ ffffffff81a28d58 ffff8800a044bc98 ffff8800a044bc88 ffffffff811b2cb6
+ ffff880000000010 ffff8800a044bc98 ffff8800a044bc30 00000000fbbd2679
+Call Trace:
+ [<ffffffff813d941f>] dump_stack+0x63/0x84
+ [<ffffffff811b2cb6>] panic+0xde/0x22a
+ [<ffffffff81352ebe>] ? proc_keys_show+0x3ce/0x3d0
+ [<ffffffff8109f7f9>] __stack_chk_fail+0x19/0x30
+ [<ffffffff81352ebe>] proc_keys_show+0x3ce/0x3d0
+ [<ffffffff81350410>] ? key_validate+0x50/0x50
+ [<ffffffff8134db30>] ? key_default_cmp+0x20/0x20
+ [<ffffffff8126b31c>] seq_read+0x2cc/0x390
+ [<ffffffff812b6b12>] proc_reg_read+0x42/0x70
+ [<ffffffff81244fc7>] __vfs_read+0x37/0x150
+ [<ffffffff81357020>] ? security_file_permission+0xa0/0xc0
+ [<ffffffff81246156>] vfs_read+0x96/0x130
+ [<ffffffff81247635>] SyS_read+0x55/0xc0
+ [<ffffffff817eb872>] entry_SYSCALL_64_fastpath+0x1a/0xa4
+
+Reported-by: Ondrej Kozina <okozina at redhat.com>
+Signed-off-by: David Howells <dhowells at redhat.com>
+Tested-by: Ondrej Kozina <okozina at redhat.com>
+---
+ security/keys/proc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/security/keys/proc.c b/security/keys/proc.c
+index f0611a6..b9f531c 100644
+--- a/security/keys/proc.c
++++ b/security/keys/proc.c
+@@ -181,7 +181,7 @@ static int proc_keys_show(struct seq_file *m, void *v)
+ 	struct timespec now;
+ 	unsigned long timo;
+ 	key_ref_t key_ref, skey_ref;
+-	char xbuf[12];
++	char xbuf[16];
+ 	int rc;
+ 
+ 	struct keyring_search_context ctx = {
+-- 
+2.9.3
+
diff --git a/debian/patches/series b/debian/patches/series
index 3ab0d2d..0686334 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -677,6 +677,7 @@ bugfix/all/tcp-make-challenge-acks-less-predictable.patch
 bugfix/all/audit-fix-a-double-fetch-in-audit_log_single_execve_arg.patch
 bugfix/all/tcp-fix-use-after-free-in-tcp_xmit_retransmit_queue.patch
 bugfix/all/aacraid-Check-size-values-after-double-fetch-from-us.patch
+bugfix/all/KEYS-Fix-short-sprintf-buffer-in-proc-keys-show-func.patch
 
 # Fix ABI changes
 debian/of-fix-abi-changes.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list