Re: CVE-2009-2584

From: Jiri Kosina
Date: Thu Nov 05 2009 - 10:27:30 EST

Next message: Oleg Nesterov: "Re: 2.6.32-rc5-mmotm1101 - lockdep whinge during early boot"
Previous message: Norbert Preining: "Re: OOM killer, page fault"
In reply to: Justin P. Mattock: "Re: CVE-2009-2584"
Next in thread: Linus Torvalds: "Re: CVE-2009-2584"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ adding some more CCs and including patch below for completness,
obviously it got lost in space ]

On Wed, 4 Nov 2009, Michael Gilbert wrote:

> CVE-2009-2584 [0],[1] has been disclosed for quite a while now (with
> existing exploit code by Brad Spengler [2]). A patch has also been
> available for the same amount of time [3], but as of 2.6.32-rc6 it is
> still not applied. Did this slip through the cracks? Thanks upfront
> for any info on the matter.
[ ... ]
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2584
> [1] http://xorl.wordpress.com/2009/07/21/linux-kernel-sgi-gru-driver-off-by-one-overwrite/
> [2] http://grsecurity.net/~spender/exploit_demo.c
> [3] http://lkml.org/lkml/2009/7/20/348

From: Michael Buesch <mb@xxxxxxxxx>
Subject: sgi-gru: Fix kernel stack buffer overrun

This patch fixes a kernel stack buffer overrun in the sgi-gru procfs
interface implementation. The "count" parameter to options_write() is user
controlled. So this bug can be used to write '\0' bytes to almost
arbitrary places on the kernel stack.

Cc: stable@xxxxxxxxxx
Signed-off-by: Michael Buesch <mb@xxxxxxxxx>
Acked-by: Jack Steiner <steiner@xxxxxxx>

--- linux-2.6.orig/drivers/misc/sgi-gru/gruprocfs.c
+++ linux-2.6/drivers/misc/sgi-gru/gruprocfs.c
@@ -157,23 +157,23 @@ static int options_show(struct seq_file
seq_printf(s, "0x%lx\n", gru_options);
return 0;
}

static ssize_t options_write(struct file *file, const char __user *userbuf,
size_t count, loff_t *data)
{
unsigned long val;
char buf[80];

+ memset(buf, 0, sizeof(buf));
if (strncpy_from_user(buf, userbuf, sizeof(buf) - 1) < 0)
return -EFAULT;
- buf[count - 1] = '\0';
if (!strict_strtoul(buf, 10, &val))
gru_options = val;

return count;
}

static int cch_seq_show(struct seq_file *file, void *data)
{
long gid = *(long *)data;
int i;

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Oleg Nesterov: "Re: 2.6.32-rc5-mmotm1101 - lockdep whinge during early boot"
Previous message: Norbert Preining: "Re: OOM killer, page fault"
In reply to: Justin P. Mattock: "Re: CVE-2009-2584"
Next in thread: Linus Torvalds: "Re: CVE-2009-2584"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]