forge/linux-uconsole
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
linux-uconsole/security/keys
History
David Howells 940d7ecbc5 KEYS: Fix short sprintf buffer in /proc/keys show function 
commit 03dab869b7 upstream.

This fixes CVE-2016-7042.

Fix a short sprintf buffer in proc_keys_show().  If the gcc stack protector
is turned on, this can cause a panic due to stack corruption.

The problem is that xbuf[] is not big enough to hold a 64-bit timeout
rendered as weeks:

	(gdb) p 0xffffffffffffffffULL/(60*60*24*7)
	$2 = 30500568904943

That's 14 chars plus NUL, not 11 chars plus NUL.

Expand the buffer to 16 chars.

I think the unpatched code apparently works if the stack-protector is not
enabled because on a 32-bit machine the buffer won't be overflowed and on a
64-bit machine there's a 64-bit aligned pointer at one side and an int that
isn't checked again on the other side.

The panic incurred looks something like:

Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff81352ebe
CPU: 0 PID: 1692 Comm: reproducer Not tainted 4.7.2-201.fc24.x86_64 #1
Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
 0000000000000086 00000000fbbd2679 ffff8800a044bc00 ffffffff813d941f
 ffffffff81a28d58 ffff8800a044bc98 ffff8800a044bc88 ffffffff811b2cb6
 ffff880000000010 ffff8800a044bc98 ffff8800a044bc30 00000000fbbd2679
Call Trace:
 [<ffffffff813d941f>] dump_stack+0x63/0x84
 [<ffffffff811b2cb6>] panic+0xde/0x22a
 [<ffffffff81352ebe>] ? proc_keys_show+0x3ce/0x3d0
 [<ffffffff8109f7f9>] __stack_chk_fail+0x19/0x30
 [<ffffffff81352ebe>] proc_keys_show+0x3ce/0x3d0
 [<ffffffff81350410>] ? key_validate+0x50/0x50
 [<ffffffff8134db30>] ? key_default_cmp+0x20/0x20
 [<ffffffff8126b31c>] seq_read+0x2cc/0x390
 [<ffffffff812b6b12>] proc_reg_read+0x42/0x70
 [<ffffffff81244fc7>] __vfs_read+0x37/0x150
 [<ffffffff81357020>] ? security_file_permission+0xa0/0xc0
 [<ffffffff81246156>] vfs_read+0x96/0x130
 [<ffffffff81247635>] SyS_read+0x55/0xc0
 [<ffffffff817eb872>] entry_SYSCALL_64_fastpath+0x1a/0xa4

Reported-by: Ondrej Kozina <okozina@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Ondrej Kozina <okozina@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-11-10 16:36:32 +01:00
..
encrypted-keys KEYS: Fix handling of stored error in a negatively instantiated user key 2015-11-25 14:19:47 +11:00
big_key.c KEYS: Merge the type-specific data with the payload data 2015-10-21 15:18:36 +01:00
compat.c switch keyctl_instantiate_key_common() to iov_iter 2015-04-11 22:27:12 -04:00
gc.c KEYS: Fix crash when attempt to garbage collect an uninstantiated keyring 2015-10-15 17:21:37 +01:00
internal.h switch keyctl_instantiate_key_common() to iov_iter 2015-04-11 22:27:12 -04:00
Kconfig KEYS: Make /proc/keys unconditional if CONFIG_KEYS=y 2015-01-22 22:34:32 +00:00
key.c KEYS: potential uninitialized variable 2016-07-27 09:47:31 -07:00
keyctl.c KEYS: Fix race between read and revoke 2015-12-19 12:34:43 +11:00
keyring.c KEYS: Merge the type-specific data with the payload data 2015-10-21 15:18:36 +01:00
Makefile KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches 2013-09-24 10:35:19 +01:00
permission.c KEYS: Move the flags representing required permission to linux/key.h 2014-03-14 17:44:49 +00:00
persistent.c KEYS: Move the flags representing required permission to linux/key.h 2014-03-14 17:44:49 +00:00
proc.c KEYS: Fix short sprintf buffer in /proc/keys show function 2016-11-10 16:36:32 +01:00
process_keys.c KEYS: Fix keyring ref leak in join_session_keyring() 2016-01-31 11:28:53 -08:00
request_key.c Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2015-11-05 15:32:38 -08:00
request_key_auth.c KEYS: Merge the type-specific data with the payload data 2015-10-21 15:18:36 +01:00
sysctl.c security: Convert use of typedef ctl_table to struct ctl_table 2014-04-15 13:39:58 +10:00
trusted.c KEYS: Fix handling of stored error in a negatively instantiated user key 2015-11-25 14:19:47 +11:00
trusted.h keys, trusted: move struct trusted_key_options to trusted-type.h 2015-10-19 01:01:21 +02:00
user_defined.c KEYS: Fix handling of stored error in a negatively instantiated user key 2015-11-25 14:19:47 +11:00