The patch generic/003_all_coreutils-gentoo-uname.patch adds code to read /proc/cpuinfo to gather some additional system information for `uname`. However, the fscanf call has insufficient bounds-checking. It uses this format "%[^\t:]\t:%[^\n]\n" to read strings into 2 fixed buffers key[64] and value[257]. A malformed /proc/cpuinfo file causes uname to seg fault; I'll attach an example cpuinfo file to this bug.
Created attachment 89679 [details] cpuinfo
i fail to see how this is a vulnerability
(In reply to comment #2) > i fail to see how this is a vulnerability Any scripts or programs that rely on uname (example, emerge --info) will fail since uname seg faults. It is very minor since an attacker would have to either modify the kernel to output a bad /proc/cpuinfo file, mount proc in another location and place a file in /proc/cpuinfo, or sneak the file into someones chroot that doesn't have procfs mounted.
in other words, the attacker needs to have root level access to exploit it ... at which point your machine is gone anyways :P adding length modifiers makes this a pain :P i think this should fix it though, can you test please: +# define CPUINFO_FORMAT "%64[^\t:]\t:%256[^\n]%c" ... + char key[65], value[257], eol, *ret = NULL; + while (fscanf(fp, CPUINFO_FORMAT, key, value, &eol) != EOF) { + __eat_cpuinfo_space(key); + if (!strcmp(key, procinfo_keys[x])) { + __eat_cpuinfo_space(value); + ret = value; + break; + } + if (eol != '\n') { + fscanf(fp, "%*[^\n]"); + fscanf(fp, "\n"); + } + }
(In reply to comment #4) > i think this should fix it though, can you test please: It fixes the seg fault, but it makes the patch useless. The expected output is this (note the EV56): $ uname -a Linux gendcc06 2.6.14.2 #2 Wed Nov 30 08:08:44 EST 2005 alpha EV56 GNU/Linux using the code you posted on this bug I get this (does not print EV56): # ./uname -a Linux gendcc06 2.6.14.2 #2 Wed Nov 30 08:08:44 EST 2005 alpha GNU/Linux # cat /proc/cpuinfo cpu : Alpha cpu model : EV56 cpu variation : 7 cpu revision : 0 cpu serial number : system type : EB164 system variation : LX164 system revision : 0 system serial number : cycle frequency [Hz] : 533165824 est. timer frequency [Hz] : 1024.00 page size [bytes] : 8192 phys. address bits : 40 max. addr. space # : 127 BogoMIPS : 1059.80 kernel unaligned acc : 0 (pc=0,va=0) user unaligned acc : 3755961 (pc=2000007950c,va=1200008b1) platform string : Digital AlphaPC 164LX 533 MHz cpus detected : 1 L1 Icache : 8K, 1-way, 32b line L1 Dcache : 8K, 1-way, 32b line L2 cache : 96K, 3-way, 64b line L3 cache : 2048K, 1-way, 64b line
fixed in coreutils-5.97