KEYS: Fix short sprintf buffer in /proc/keys show function (CVE-2016-7042)
This commit is contained in:
parent
ae695bc66b
commit
82d68fe753
|
@ -129,6 +129,9 @@ linux (4.7.7-1) UNRELEASED; urgency=medium
|
|||
* posix_acl: Clear SGID bit when setting file permissions (CVE-2016-7097)
|
||||
* scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (CVE-2016-7425)
|
||||
|
||||
[ Salvatore Bonaccorso ]
|
||||
* KEYS: Fix short sprintf buffer in /proc/keys show function (CVE-2016-7042)
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Tue, 11 Oct 2016 22:43:14 +0100
|
||||
|
||||
linux (4.7.6-1) unstable; urgency=medium
|
||||
|
|
70
debian/patches/bugfix/all/KEYS-Fix-short-sprintf-buffer-in-proc-keys-show-func.patch
vendored
Normal file
70
debian/patches/bugfix/all/KEYS-Fix-short-sprintf-buffer-in-proc-keys-show-func.patch
vendored
Normal file
|
@ -0,0 +1,70 @@
|
|||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Thu, 13 Oct 2016 22:38:46 +0200
|
||||
Subject: KEYS: Fix short sprintf buffer in /proc/keys show function
|
||||
Origin: https://bugzilla.redhat.com/attachment.cgi?id=1200212
|
||||
|
||||
Fix a short sprintf buffer in proc_keys_show(). If the gcc stack protector
|
||||
is turned on, this can cause a panic due to stack corruption.
|
||||
|
||||
The problem is that xbuf[] is not big enough to hold a 64-bit timeout
|
||||
rendered as weeks:
|
||||
|
||||
(gdb) p 0xffffffffffffffffULL/(60*60*24*7)
|
||||
$2 = 30500568904943
|
||||
|
||||
That's 14 chars plus NUL, not 11 chars plus NUL.
|
||||
|
||||
Expand the buffer to 16 chars.
|
||||
|
||||
I think the unpatched code apparently works if the stack-protector is not
|
||||
enabled because on a 32-bit machine the buffer won't be overflowed and on a
|
||||
64-bit machine there's a 64-bit aligned pointer at one side and an int that
|
||||
isn't checked again on the other side.
|
||||
|
||||
The panic incurred looks something like:
|
||||
|
||||
Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff81352ebe
|
||||
CPU: 0 PID: 1692 Comm: reproducer Not tainted 4.7.2-201.fc24.x86_64 #1
|
||||
Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
|
||||
0000000000000086 00000000fbbd2679 ffff8800a044bc00 ffffffff813d941f
|
||||
ffffffff81a28d58 ffff8800a044bc98 ffff8800a044bc88 ffffffff811b2cb6
|
||||
ffff880000000010 ffff8800a044bc98 ffff8800a044bc30 00000000fbbd2679
|
||||
Call Trace:
|
||||
[<ffffffff813d941f>] dump_stack+0x63/0x84
|
||||
[<ffffffff811b2cb6>] panic+0xde/0x22a
|
||||
[<ffffffff81352ebe>] ? proc_keys_show+0x3ce/0x3d0
|
||||
[<ffffffff8109f7f9>] __stack_chk_fail+0x19/0x30
|
||||
[<ffffffff81352ebe>] proc_keys_show+0x3ce/0x3d0
|
||||
[<ffffffff81350410>] ? key_validate+0x50/0x50
|
||||
[<ffffffff8134db30>] ? key_default_cmp+0x20/0x20
|
||||
[<ffffffff8126b31c>] seq_read+0x2cc/0x390
|
||||
[<ffffffff812b6b12>] proc_reg_read+0x42/0x70
|
||||
[<ffffffff81244fc7>] __vfs_read+0x37/0x150
|
||||
[<ffffffff81357020>] ? security_file_permission+0xa0/0xc0
|
||||
[<ffffffff81246156>] vfs_read+0x96/0x130
|
||||
[<ffffffff81247635>] SyS_read+0x55/0xc0
|
||||
[<ffffffff817eb872>] entry_SYSCALL_64_fastpath+0x1a/0xa4
|
||||
|
||||
Reported-by: Ondrej Kozina <okozina@redhat.com>
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
Tested-by: Ondrej Kozina <okozina@redhat.com>
|
||||
---
|
||||
security/keys/proc.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/security/keys/proc.c b/security/keys/proc.c
|
||||
index f0611a6..b9f531c 100644
|
||||
--- a/security/keys/proc.c
|
||||
+++ b/security/keys/proc.c
|
||||
@@ -181,7 +181,7 @@ static int proc_keys_show(struct seq_file *m, void *v)
|
||||
struct timespec now;
|
||||
unsigned long timo;
|
||||
key_ref_t key_ref, skey_ref;
|
||||
- char xbuf[12];
|
||||
+ char xbuf[16];
|
||||
int rc;
|
||||
|
||||
struct keyring_search_context ctx = {
|
||||
--
|
||||
2.9.3
|
||||
|
|
@ -117,6 +117,7 @@ debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
|||
bugfix/all/net-add-recursion-limit-to-gro.patch
|
||||
bugfix/all/posix_acl-clear-sgid-bit-when-setting-file-permissio.patch
|
||||
bugfix/all/scsi-arcmsr-buffer-overflow-in-arcmsr_iop_message_xf.patch
|
||||
bugfix/all/KEYS-Fix-short-sprintf-buffer-in-proc-keys-show-func.patch
|
||||
|
||||
# ABI maintenance
|
||||
debian/i8042-revert-abi-break-in-4.7.3.patch
|
||||
|
|
Loading…
Reference in New Issue