• David Howells's avatar
    KEYS: Fix short sprintf buffer in /proc/keys show function · b9eabdf0
    David Howells authored
    commit 03dab869 upstream.
    
    This fixes CVE-2016-7042.
    
    Fix a short sprintf buffer in proc_keys_show().  If the gcc stack protector
    is turned on, this can cause a panic due to stack corruption.
    
    The problem is that xbuf[] is not big enough to hold a 64-bit timeout
    rendered as weeks:
    
    	(gdb) p 0xffffffffffffffffULL/(60*60*24*7)
    	$2 = 30500568904943
    
    That's 14 chars plus NUL, not 11 chars plus NUL.
    
    Expand the buffer to 16 chars.
    
    I think the unpatched code apparently works if the stack-protector is not
    enabled because on a 32-bit machine the buffer won't be overflowed and on a
    64-bit machine there's a 64-bit aligned pointer at one side and an int that
    isn't checked again on the other side.
    
    The panic incurred looks something like:
    
    Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff81352ebe
    CPU: 0 PID: 1692 Comm: reproducer Not tainted 4.7.2-201.fc24.x86_64 #1
    Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
     0000000000000086 00000000fbbd2679 ffff8800a044bc00 ffffffff813d941f
     ffffffff81a28d58 ffff8800a044bc98 ffff8800a044bc88 ffffffff811b2cb6
     ffff880000000010 ffff8800a044bc98 ffff8800a044bc30 00000000fbbd2679
    Call Trace:
     [<ffffffff813d941f>] dump_stack+0x63/0x84
     [<ffffffff811b2cb6>] panic+0xde/0x22a
     [<ffffffff81352ebe>] ? proc_keys_show+0x3ce/0x3d0
     [<ffffffff8109f7f9>] __stack_chk_fail+0x19/0x30
     [<ffffffff81352ebe>] proc_keys_show+0x3ce/0x3d0
     [<ffffffff81350410>] ? key_validate+0x50/0x50
     [<ffffffff8134db30>] ? key_default_cmp+0x20/0x20
     [<ffffffff8126b31c>] seq_read+0x2cc/0x390
     [<ffffffff812b6b12>] proc_reg_read+0x42/0x70
     [<ffffffff81244fc7>] __vfs_read+0x37/0x150
     [<ffffffff81357020>] ? security_file_permission+0xa0/0xc0
     [<ffffffff81246156>] vfs_read+0x96/0x130
     [<ffffffff81247635>] SyS_read+0x55/0xc0
     [<ffffffff817eb872>] entry_SYSCALL_64_fastpath+0x1a/0xa4
    Reported-by: default avatarOndrej Kozina <okozina@redhat.com>
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    Tested-by: default avatarOndrej Kozina <okozina@redhat.com>
    Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
    Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
    b9eabdf0
proc.c 8.64 KB