[Dapper/Hardy/Karmic/Maverick] [CVE-2010-4083] [PATCH 1/1] sys_semctl: fix kernel stack leakage, CVE-2010-4083
Brad Figg
brad.figg at canonical.com
Fri Feb 4 17:26:51 UTC 2011
From: Dan Rosenberg <drosenberg at vsecurity.com>
CVE-2010-4083
BugLink: http://bugs.launchpad.net/bugs/712749
The semctl syscall has several code paths that lead to the leakage of
uninitialized kernel stack memory (namely the IPC_INFO, SEM_INFO,
IPC_STAT, and SEM_STAT commands) during the use of the older, obsolete
version of the semid_ds struct.
The copy_semid_to_user() function declares a semid_ds struct on the stack
and copies it back to the user without initializing or zeroing the
"sem_base", "sem_pending", "sem_pending_last", and "undo" pointers,
allowing the leakage of 16 bytes of kernel stack memory.
The code is still reachable on 32-bit systems - when calling semctl()
newer glibc's automatically OR the IPC command with the IPC_64 flag, but
invoking the syscall directly allows users to use the older versions of
the struct.
Signed-off-by: Dan Rosenberg <dan.j.rosenberg at gmail.com>
Cc: Manfred Spraul <manfred at colorfullife.com>
Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
(cherry-picked from commit 982f7c2b2e6a28f8f266e075d92e19c0dd4c6e56)
Signed-off-by: Brad Figg <brad.figg at canonical.com>
---
ipc/sem.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/ipc/sem.c b/ipc/sem.c
index 40a8f46..0e0d49b 100644
--- a/ipc/sem.c
+++ b/ipc/sem.c
@@ -743,6 +743,8 @@ static unsigned long copy_semid_to_user(void __user *buf, struct semid64_ds *in,
{
struct semid_ds out;
+ memset(&out, 0, sizeof(out));
+
ipc64_perm_to_ipc_perm(&in->sem_perm, &out.sem_perm);
out.sem_otime = in->sem_otime;
--
1.7.3.5
More information about the kernel-team
mailing list