Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 04 Nov 2010 15:27:59 +0800
From: Eugene Teo <eugene@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE request: kernel: sys_semctl: fix kernel stack
 leakage

On 11/04/2010 02:40 PM, Eugene Teo wrote:
> "The semctl syscall has several code paths that lead to the leakage of
> uninitialized kernel stack memory (namely the IPC_INFO, SEM_INFO,
> IPC_STAT, and SEM_STAT commands) during the use of the older, obsolete
> version of the semid_ds struct.
>
> The copy_semid_to_user() function declares a semid_ds struct on the
> stack and copies it back to the user without initializing or zeroing the
> "sem_base", "sem_pending", "sem_pending_last", and "undo" pointers,
> allowing the leakage of 16 bytes of kernel stack memory.
>
> The code is still reachable on 32-bit systems - when calling semctl()
> newer glibc's automatically OR the IPC command with the IPC_64 flag, but
> invoking the syscall directly allows users to use the older versions of
> the struct."
>
> Upstream commit:
> http://git.kernel.org/linus/982f7c2b2e6a28f8f266e075d92e19c0dd4c6e56
>
> Credit: Dan Rosenberg
>
> Reference:
> https://bugzilla.redhat.com/show_bug.cgi?id=649614

Whoops, this has been assigned CVE-2010-4083.

Thanks, Eugene
-- 
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.