[oss-security] CVE request: kernel: sys_semctl: fix kernel stack leakage

From: Eugene Teo <eugene_at_nospam>
Date: Thu Nov 04 2010 - 06:40:38 GMT
To: oss-security@lists.openwall.com

"The semctl syscall has several code paths that lead to the leakage of
uninitialized kernel stack memory (namely the IPC_INFO, SEM_INFO,
IPC_STAT, and SEM_STAT commands) during the use of the older, obsolete
version of the semid_ds struct.

The copy_semid_to_user() function declares a semid_ds struct on the
stack and copies it back to the user without initializing or zeroing the
"sem_base", "sem_pending", "sem_pending_last", and "undo" pointers,
allowing the leakage of 16 bytes of kernel stack memory.

The code is still reachable on 32-bit systems - when calling semctl()
newer glibc's automatically OR the IPC command with the IPC_64 flag, but
invoking the syscall directly allows users to use the older versions of
the struct."

Upstream commit:
http://git.kernel.org/linus/982f7c2b2e6a28f8f266e075d92e19c0dd4c6e56

Credit: Dan Rosenberg

Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=649614

Thanks, Eugene
-- main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }

This message: [ Message body ]
Next message: Eugene Teo: "Re: [oss-security] CVE request: kernel: sys_semctl: fix kernel stack leakage"
Previous message: Dan Rosenberg: "[oss-security] CVE request: kernel: CAN information leak"
Next in thread: Eugene Teo: "Re: [oss-security] CVE request: kernel: sys_semctl: fix kernel stack leakage"
Reply: Eugene Teo: "Re: [oss-security] CVE request: kernel: sys_semctl: fix kernel stack leakage"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]