releases/4.8.7/keys-fix-short-sprintf-buffer-in-proc-keys-show-function.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 03dab869b7b239c4e013ec82aea22e181e441cfc Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Wed, 26 Oct 2016 15:01:54 +0100
 Subject: KEYS: Fix short sprintf buffer in /proc/keys show function

 From: David Howells <dhowells@redhat.com>

 commit 03dab869b7b239c4e013ec82aea22e181e441cfc upstream.

 This fixes CVE-2016-7042.

 Fix a short sprintf buffer in proc_keys_show().  If the gcc stack protector
 is turned on, this can cause a panic due to stack corruption.

 The problem is that xbuf[] is not big enough to hold a 64-bit timeout
 rendered as weeks:

 	(gdb) p 0xffffffffffffffffULL/(60*60*24*7)
 	$2 = 30500568904943

 That's 14 chars plus NUL, not 11 chars plus NUL.

 Expand the buffer to 16 chars.

 I think the unpatched code apparently works if the stack-protector is not
 enabled because on a 32-bit machine the buffer won't be overflowed and on a
 64-bit machine there's a 64-bit aligned pointer at one side and an int that
 isn't checked again on the other side.

 The panic incurred looks something like:

 Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff81352ebe
 CPU: 0 PID: 1692 Comm: reproducer Not tainted 4.7.2-201.fc24.x86_64 #1
 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
  0000000000000086 00000000fbbd2679 ffff8800a044bc00 ffffffff813d941f
  ffffffff81a28d58 ffff8800a044bc98 ffff8800a044bc88 ffffffff811b2cb6
  ffff880000000010 ffff8800a044bc98 ffff8800a044bc30 00000000fbbd2679
 Call Trace:
  [<ffffffff813d941f>] dump_stack+0x63/0x84
  [<ffffffff811b2cb6>] panic+0xde/0x22a
  [<ffffffff81352ebe>] ? proc_keys_show+0x3ce/0x3d0
  [<ffffffff8109f7f9>] __stack_chk_fail+0x19/0x30
  [<ffffffff81352ebe>] proc_keys_show+0x3ce/0x3d0
  [<ffffffff81350410>] ? key_validate+0x50/0x50
  [<ffffffff8134db30>] ? key_default_cmp+0x20/0x20
  [<ffffffff8126b31c>] seq_read+0x2cc/0x390
  [<ffffffff812b6b12>] proc_reg_read+0x42/0x70
  [<ffffffff81244fc7>] __vfs_read+0x37/0x150
  [<ffffffff81357020>] ? security_file_permission+0xa0/0xc0
  [<ffffffff81246156>] vfs_read+0x96/0x130
  [<ffffffff81247635>] SyS_read+0x55/0xc0
  [<ffffffff817eb872>] entry_SYSCALL_64_fastpath+0x1a/0xa4

 Reported-by: Ondrej Kozina <okozina@redhat.com>
 Signed-off-by: David Howells <dhowells@redhat.com>
 Tested-by: Ondrej Kozina <okozina@redhat.com>
 Signed-off-by: James Morris <james.l.morris@oracle.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  security/keys/proc.c |    2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

 --- a/security/keys/proc.c
 +++ b/security/keys/proc.c
 @@ -181,7 +181,7 @@ static int proc_keys_show(struct seq_fil
  	struct timespec now;
  	unsigned long timo;
  	key_ref_t key_ref, skey_ref;
 -	char xbuf[12];
 +	char xbuf[16];
  	int rc;

  	struct keyring_search_context ctx = {
	From 03dab869b7b239c4e013ec82aea22e181e441cfc Mon Sep 17 00:00:00 2001
	From: David Howells <dhowells@redhat.com>
	Date: Wed, 26 Oct 2016 15:01:54 +0100
	Subject: KEYS: Fix short sprintf buffer in /proc/keys show function

	From: David Howells <dhowells@redhat.com>

	commit 03dab869b7b239c4e013ec82aea22e181e441cfc upstream.

	This fixes CVE-2016-7042.

	Fix a short sprintf buffer in proc_keys_show(). If the gcc stack protector
	is turned on, this can cause a panic due to stack corruption.

	The problem is that xbuf[] is not big enough to hold a 64-bit timeout
	rendered as weeks:

	(gdb) p 0xffffffffffffffffULL/(606024*7)
	$2 = 30500568904943

	That's 14 chars plus NUL, not 11 chars plus NUL.

	Expand the buffer to 16 chars.

	I think the unpatched code apparently works if the stack-protector is not
	enabled because on a 32-bit machine the buffer won't be overflowed and on a
	64-bit machine there's a 64-bit aligned pointer at one side and an int that
	isn't checked again on the other side.

	The panic incurred looks something like:

	Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff81352ebe
	CPU: 0 PID: 1692 Comm: reproducer Not tainted 4.7.2-201.fc24.x86_64 #1
	Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
	0000000000000086 00000000fbbd2679 ffff8800a044bc00 ffffffff813d941f
	ffffffff81a28d58 ffff8800a044bc98 ffff8800a044bc88 ffffffff811b2cb6
	ffff880000000010 ffff8800a044bc98 ffff8800a044bc30 00000000fbbd2679
	Call Trace:
	[<ffffffff813d941f>] dump_stack+0x63/0x84
	[<ffffffff811b2cb6>] panic+0xde/0x22a
	[<ffffffff81352ebe>] ? proc_keys_show+0x3ce/0x3d0
	[<ffffffff8109f7f9>] __stack_chk_fail+0x19/0x30
	[<ffffffff81352ebe>] proc_keys_show+0x3ce/0x3d0
	[<ffffffff81350410>] ? key_validate+0x50/0x50
	[<ffffffff8134db30>] ? key_default_cmp+0x20/0x20
	[<ffffffff8126b31c>] seq_read+0x2cc/0x390
	[<ffffffff812b6b12>] proc_reg_read+0x42/0x70
	[<ffffffff81244fc7>] __vfs_read+0x37/0x150
	[<ffffffff81357020>] ? security_file_permission+0xa0/0xc0
	[<ffffffff81246156>] vfs_read+0x96/0x130
	[<ffffffff81247635>] SyS_read+0x55/0xc0
	[<ffffffff817eb872>] entry_SYSCALL_64_fastpath+0x1a/0xa4

	Reported-by: Ondrej Kozina <okozina@redhat.com>
	Signed-off-by: David Howells <dhowells@redhat.com>
	Tested-by: Ondrej Kozina <okozina@redhat.com>
	Signed-off-by: James Morris <james.l.morris@oracle.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	security/keys/proc.c \| 2 +-
	1 file changed, 1 insertion(+), 1 deletion(-)

	--- a/security/keys/proc.c
	+++ b/security/keys/proc.c
	@@ -181,7 +181,7 @@ static int proc_keys_show(struct seq_fil
	struct timespec now;
	unsigned long timo;
	key_ref_t key_ref, skey_ref;
	- char xbuf[12];
	+ char xbuf[16];
	int rc;

	struct keyring_search_context ctx = {