From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Ondrej Kozina <okozina@redhat.com>,
David Howells <dhowells@redhat.com>,
James Morris <james.l.morris@oracle.com>
Subject: [PATCH 4.4 08/69] KEYS: Fix short sprintf buffer in /proc/keys show function
Date: Wed, 9 Nov 2016 11:43:46 +0100 [thread overview]
Message-ID: <20161109102901.497925157@linuxfoundation.org> (raw)
In-Reply-To: <20161109102901.127641653@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
commit 03dab869b7b239c4e013ec82aea22e181e441cfc upstream.
This fixes CVE-2016-7042.
Fix a short sprintf buffer in proc_keys_show(). If the gcc stack protector
is turned on, this can cause a panic due to stack corruption.
The problem is that xbuf[] is not big enough to hold a 64-bit timeout
rendered as weeks:
(gdb) p 0xffffffffffffffffULL/(60*60*24*7)
$2 = 30500568904943
That's 14 chars plus NUL, not 11 chars plus NUL.
Expand the buffer to 16 chars.
I think the unpatched code apparently works if the stack-protector is not
enabled because on a 32-bit machine the buffer won't be overflowed and on a
64-bit machine there's a 64-bit aligned pointer at one side and an int that
isn't checked again on the other side.
The panic incurred looks something like:
Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff81352ebe
CPU: 0 PID: 1692 Comm: reproducer Not tainted 4.7.2-201.fc24.x86_64 #1
Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
0000000000000086 00000000fbbd2679 ffff8800a044bc00 ffffffff813d941f
ffffffff81a28d58 ffff8800a044bc98 ffff8800a044bc88 ffffffff811b2cb6
ffff880000000010 ffff8800a044bc98 ffff8800a044bc30 00000000fbbd2679
Call Trace:
[<ffffffff813d941f>] dump_stack+0x63/0x84
[<ffffffff811b2cb6>] panic+0xde/0x22a
[<ffffffff81352ebe>] ? proc_keys_show+0x3ce/0x3d0
[<ffffffff8109f7f9>] __stack_chk_fail+0x19/0x30
[<ffffffff81352ebe>] proc_keys_show+0x3ce/0x3d0
[<ffffffff81350410>] ? key_validate+0x50/0x50
[<ffffffff8134db30>] ? key_default_cmp+0x20/0x20
[<ffffffff8126b31c>] seq_read+0x2cc/0x390
[<ffffffff812b6b12>] proc_reg_read+0x42/0x70
[<ffffffff81244fc7>] __vfs_read+0x37/0x150
[<ffffffff81357020>] ? security_file_permission+0xa0/0xc0
[<ffffffff81246156>] vfs_read+0x96/0x130
[<ffffffff81247635>] SyS_read+0x55/0xc0
[<ffffffff817eb872>] entry_SYSCALL_64_fastpath+0x1a/0xa4
Reported-by: Ondrej Kozina <okozina@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Ondrej Kozina <okozina@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/keys/proc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/security/keys/proc.c
+++ b/security/keys/proc.c
@@ -181,7 +181,7 @@ static int proc_keys_show(struct seq_fil
struct timespec now;
unsigned long timo;
key_ref_t key_ref, skey_ref;
- char xbuf[12];
+ char xbuf[16];
int rc;
struct keyring_search_context ctx = {
next prev parent reply other threads:[~2016-11-09 10:50 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20161109104447epcas2p2800d2cee304b181b04018da2ac18030c@epcas2p2.samsung.com>
2016-11-09 10:43 ` [PATCH 4.4 00/69] 4.4.31-stable review Greg Kroah-Hartman
2016-11-09 10:43 ` [PATCH 4.4 01/69] i2c: xgene: Avoid dma_buffer overrun Greg Kroah-Hartman
2016-11-09 10:43 ` [PATCH 4.4 02/69] i2c: core: fix NULL pointer dereference under race condition Greg Kroah-Hartman
2016-11-09 10:43 ` [PATCH 4.4 04/69] h8300: fix syscall restarting Greg Kroah-Hartman
2016-11-09 10:43 ` [PATCH 4.4 05/69] libxfs: clean up _calc_dquots_per_chunk Greg Kroah-Hartman
2016-11-09 10:43 ` [PATCH 4.4 06/69] mm/list_lru.c: avoid error-path NULL pointer deref Greg Kroah-Hartman
2016-11-09 10:43 ` [PATCH 4.4 07/69] mm: memcontrol: do not recurse in direct reclaim Greg Kroah-Hartman
2016-11-09 10:43 ` Greg Kroah-Hartman [this message]
2016-11-09 10:43 ` [PATCH 4.4 09/69] ALSA: usb-audio: Add quirk for Syntek STK1160 Greg Kroah-Hartman
2016-11-09 10:43 ` [PATCH 4.4 10/69] ALSA: hda - Merge RIRB_PRE_DELAY into CTX_WORKAROUND caps Greg Kroah-Hartman
2016-11-09 10:43 ` [PATCH 4.4 11/69] ALSA: hda - Raise AZX_DCAPS_RIRB_DELAY handling into top drivers Greg Kroah-Hartman
2016-11-09 10:43 ` [PATCH 4.4 12/69] ALSA: hda - allow 40 bit DMA mask for NVidia devices Greg Kroah-Hartman
2016-11-09 10:43 ` [PATCH 4.4 13/69] ALSA: hda - Adding a new group of pin cfg into ALC295 pin quirk table Greg Kroah-Hartman
2016-11-09 10:43 ` [PATCH 4.4 14/69] ALSA: hda - Fix headset mic detection problem for two Dell laptops Greg Kroah-Hartman
2016-11-09 10:43 ` [PATCH 4.4 17/69] btrfs: fix races on root_log_ctx lists Greg Kroah-Hartman
2016-11-09 10:43 ` [PATCH 4.4 18/69] ubifs: Abort readdir upon error Greg Kroah-Hartman
2016-11-09 10:43 ` [PATCH 4.4 19/69] ubifs: Fix regression in ubifs_readdir() Greg Kroah-Hartman
2016-11-09 10:43 ` [PATCH 4.4 20/69] mei: txe: dont clean an unprocessed interrupt cause Greg Kroah-Hartman
2016-11-09 10:44 ` [PATCH 4.4 22/69] USB: serial: fix potential NULL-dereference at probe Greg Kroah-Hartman
2016-11-09 10:44 ` [PATCH 4.4 23/69] USB: serial: ftdi_sio: add support for Infineon TriBoard TC2X7 Greg Kroah-Hartman
2016-11-09 10:44 ` [PATCH 4.4 24/69] xhci: use default USB_RESUME_TIMEOUT when resuming ports Greg Kroah-Hartman
2016-11-09 10:44 ` [PATCH 4.4 25/69] usb: increase ohci watchdog delay to 275 msec Greg Kroah-Hartman
2016-11-09 10:44 ` [PATCH 4.4 26/69] GenWQE: Fix bad page access during abort of resource allocation Greg Kroah-Hartman
2016-11-09 10:44 ` [PATCH 4.4 27/69] Fix potential infoleak in older kernels Greg Kroah-Hartman
2016-11-09 10:44 ` [PATCH 4.4 28/69] vt: clear selection before resizing Greg Kroah-Hartman
2016-11-09 10:44 ` [PATCH 4.4 29/69] hv: do not lose pending heartbeat vmbus packets Greg Kroah-Hartman
2016-11-09 10:44 ` [PATCH 4.4 30/69] xhci: add restart quirk for Intel Wildcatpoint PCH Greg Kroah-Hartman
2016-11-09 10:44 ` [PATCH 4.4 31/69] tty: limit terminal size to 4M chars Greg Kroah-Hartman
2016-11-09 10:44 ` [PATCH 4.4 32/69] USB: serial: cp210x: fix tiocmget error handling Greg Kroah-Hartman
2016-11-09 10:44 ` [PATCH 4.4 33/69] dm: free io_barrier after blk_cleanup_queue call Greg Kroah-Hartman
2016-11-09 10:44 ` [PATCH 4.4 36/69] ovl: fsync after copy-up Greg Kroah-Hartman
2016-11-09 10:44 ` [PATCH 4.4 37/69] parisc: Ensure consistent state when switching to kernel stack at syscall entry Greg Kroah-Hartman
2016-11-09 10:44 ` [PATCH 4.4 38/69] virtio_ring: Make interrupt suppression spec compliant Greg Kroah-Hartman
2016-11-09 10:44 ` [PATCH 4.4 39/69] virtio: console: Unlock vqs while freeing buffers Greg Kroah-Hartman
2016-11-09 10:44 ` [PATCH 4.4 40/69] dm mirror: fix read error on recovery after default leg failure Greg Kroah-Hartman
2016-11-09 10:44 ` [PATCH 4.4 41/69] Input: i8042 - add XMG C504 to keyboard reset table Greg Kroah-Hartman
2016-11-09 10:44 ` [PATCH 4.4 42/69] firewire: net: guard against rx buffer overflows Greg Kroah-Hartman
2016-11-09 10:44 ` [PATCH 4.4 43/69] firewire: net: fix fragmented datagram_size off-by-one Greg Kroah-Hartman
2016-11-09 10:44 ` [PATCH 4.4 44/69] mac80211: discard multicast and 4-addr A-MSDUs Greg Kroah-Hartman
2016-11-09 10:44 ` [PATCH 4.4 45/69] scsi: megaraid_sas: Fix data integrity failure for JBOD (passthrough) devices Greg Kroah-Hartman
2016-11-09 10:44 ` [PATCH 4.4 46/69] scsi: scsi_debug: Fix memory leak if LBP enabled and module is unloaded Greg Kroah-Hartman
2016-11-09 10:44 ` [PATCH 4.4 47/69] scsi: arcmsr: Send SYNCHRONIZE_CACHE command to firmware Greg Kroah-Hartman
2016-11-09 10:44 ` [PATCH 4.4 48/69] mmc: dw_mmc-pltfm: fix the potential NULL pointer dereference Greg Kroah-Hartman
2016-11-09 10:44 ` [PATCH 4.4 50/69] drm/radeon/si_dpm: Limit clocks on HD86xx part Greg Kroah-Hartman
2016-11-09 10:44 ` [PATCH 4.4 51/69] drm/radeon/si_dpm: workaround for SI kickers Greg Kroah-Hartman
2016-11-09 10:44 ` [PATCH 4.4 54/69] perf build: Fix traceevent plugins build race Greg Kroah-Hartman
2016-11-09 10:44 ` [PATCH 4.4 55/69] x86/xen: fix upper bound of pmd loop in xen_cleanhighmap() Greg Kroah-Hartman
2016-11-09 10:44 ` [PATCH 4.4 56/69] powerpc/ptrace: Fix out of bounds array access warning Greg Kroah-Hartman
2016-11-09 10:44 ` [PATCH 4.4 57/69] ARM: 8584/1: floppy: avoid gcc-6 warning Greg Kroah-Hartman
2016-11-09 10:44 ` [PATCH 4.4 58/69] mm/cma: silence warnings due to max() usage Greg Kroah-Hartman
2016-11-09 10:44 ` [PATCH 4.4 59/69] drm/exynos: fix error handling in exynos_drm_subdrv_open Greg Kroah-Hartman
2016-11-09 10:44 ` [PATCH 4.4 60/69] cgroup: avoid false positive gcc-6 warning Greg Kroah-Hartman
2016-11-09 10:44 ` [PATCH 4.4 61/69] smc91x: avoid self-comparison warning Greg Kroah-Hartman
2016-11-09 10:44 ` [PATCH 4.4 63/69] UBI: fastmap: scrub PEB when bitflips are detected in a free PEB EC header Greg Kroah-Hartman
2016-11-09 10:44 ` [PATCH 4.4 64/69] pwm: Unexport children before chip removal Greg Kroah-Hartman
2016-11-09 10:44 ` [PATCH 4.4 65/69] usb: dwc3: Fix size used in dma_free_coherent() Greg Kroah-Hartman
2016-11-09 10:44 ` [PATCH 4.4 67/69] kvm: x86: Check memopp before dereference (CVE-2016-8630) Greg Kroah-Hartman
2016-11-09 10:44 ` [PATCH 4.4 68/69] ubi: fastmap: Fix add_vol() return value test in ubi_attach_fastmap() Greg Kroah-Hartman
2016-11-09 10:44 ` [PATCH 4.4 69/69] HID: usbhid: add ATEN CS962 to list of quirky devices Greg Kroah-Hartman
2016-11-09 18:21 ` [PATCH 4.4 00/69] 4.4.31-stable review Shuah Khan
2016-11-09 19:34 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161109102901.497925157@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dhowells@redhat.com \
--cc=james.l.morris@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=okozina@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).