Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux (RPM package) Pro for Mac OS X (dmg package) Wordlists   for password cracking passwdqc   policy enforcement phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login Services Publications Articles Presentations Community Mailing lists Community wiki Donations Resources Source code repository (CVSweb) File archive & mirrors How to verify digital signatures Password recovery resources Recommended books What's new

Date: Wed, 05 Aug 2009 10:05:55 +0800
From: Eugene Teo <eugene@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Steven M. Christey" <coley@...us.mitre.org>, jon@...rheide.org
Subject: Re: CVE request - kernel: information leak in sigaltstack

Eugene Teo wrote:
> do_sigaltstack: avoid copying 'stack_t' as a structure to user space
> 
> Ulrich Drepper correctly points out that there is generally padding in
> the structure on 64-bit hosts, and that copying the structure from
> kernel to user space can leak information from the kernel stack in those
> padding bytes.
> 
> Avoid the whole issue by just copying the three members one by one
> instead, which also means that the function also can avoid the need for
> a stack frame. This also happens to match how we copy the new structure
> from user space, so it all even makes sense.
> 
> Upstream commit:
> http://git.kernel.org/linus/0083fc2c50e6c5127c2802ad323adf8143ab7856
> 
> Reference:
> https://bugzilla.redhat.com/show_bug.cgi?id=515392

Reproducer:
http://milw0rm.com/exploits/9352

Thanks, Eugene

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ