73000 – Buffer overrun in arch/x86_64/sys_ia32.c (CAN-2004-1151)

Bug 73000 - Buffer overrun in arch/x86_64/sys_ia32.c (CAN-2004-1151)

Summary: Buffer overrun in arch/x86_64/sys_ia32.c (CAN-2004-1151)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Kernel (show other bugs)
Hardware:	All All

Importance:	High normal
Assignee:	Gentoo Security

URL:	http://git.kernel.org/?p=linux/kernel...
Whiteboard:	[linux <2.6.10]
Keywords:

Depends on:
Blocks:

Reported:	2004-11-30 23:59 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified:	2009-05-03 13:43 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Flags:	plasmaroo: Assigned_To? (plasmaroo)

Attachments
Patch (linux-2.6-CAN-2004-1151.patch,1.12 KB, patch) 2004-12-19 10:59 UTC, Tim Yamin (RETIRED)	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-11-30 23:59:03 UTC

v-s reports:

struct task_struct.comm is defined to be 16 chars, but
arch/x86_64/sys_ia32.c:sys32_ni_syscall() copies it into a static 8 byte
buffer, which will surely cause problems.

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-11-30 23:59:03 UTC

v-s reports:

struct task_struct.comm is defined to be 16 chars, but
arch/x86_64/sys_ia32.c:sys32_ni_syscall() copies it into a static 8 byte
buffer, which will surely cause problems.  This patch makes lastcomm[]
the right size, and makes sure it can't be overrun.  Since the code also
goes to the effort of getting a local copy of current in "me", we may as
well use it for printing the message.

Patch is against 2.6.10-rc2-mm3.

      J

 arch/x86_64/ia32/sys_ia32.c |   11 ++++++-----
 1 files changed, 6 insertions(+), 5 deletions(-)

diff -puN arch/x86_64/ia32/sys_ia32.c~short-comm-string arch/x86_64/ia32/sys_ia32.c
--- local-2.6/arch/x86_64/ia32/sys_ia32.c~short-comm-string   2004-11-29 19:51:02.922621617 -0800
+++ local-2.6-jeremy/arch/x86_64/ia32/sys_ia32.c      2004-11-29 19:52:43.493561830 -0800
@@ -525,11 +525,12 @@ sys32_waitpid(compat_pid_t pid, unsigned
 int sys32_ni_syscall(int call)
 { 
      struct task_struct *me = current;
-     static char lastcomm[8];
-     if (strcmp(lastcomm, me->comm)) {
-     printk(KERN_INFO "IA32 syscall %d from %s not implemented\n", call,
-            current->comm);
-             strcpy(lastcomm, me->comm); 
+     static char lastcomm[sizeof(me->comm)];
+
+     if (strncmp(lastcomm, me->comm, sizeof(lastcomm))) {
+             printk(KERN_INFO "IA32 syscall %d from %s not implemented\n", call,
+                    me->comm);
+             strncpy(lastcomm, me->comm, sizeof(lastcomm));
      } 
      return -ENOSYS;        
 } 

_


Another posting:

> There's at least one more in the same file.  Looking for any more.

Only found the one extra in sys32_vm86_warning.

===== arch/x86_64/ia32/sys_ia32.c 1.74 vs edited =====
--- 1.74/arch/x86_64/ia32/sys_ia32.c    2004-11-02 06:40:37 -08:00
+++ edited/arch/x86_64/ia32/sys_ia32.c  2004-11-30 09:42:26 -08:00
@@ -525,11 +525,12 @@ sys32_waitpid(compat_pid_t pid, unsigned
 int sys32_ni_syscall(int call)
 { 
        struct task_struct *me = current;
-       static char lastcomm[8];
-       if (strcmp(lastcomm, me->comm)) {
-       printk(KERN_INFO "IA32 syscall %d from %s not implemented\n", call,
-              current->comm);
-               strcpy(lastcomm, me->comm); 
+       static char lastcomm[sizeof(me->comm)];
+
+       if (strncmp(lastcomm, me->comm, sizeof(lastcomm))) {
+               printk(KERN_INFO "IA32 syscall %d from %s not implemented\n",
+                      call, me->comm);
+               strncpy(lastcomm, me->comm, sizeof(lastcomm));
        } 
        return -ENOSYS;        
 } 
@@ -1125,11 +1126,11 @@ long sys32_fadvise64_64(int fd, __u32 of
 long sys32_vm86_warning(void)
 { 
        struct task_struct *me = current;
-       static char lastcomm[8];
-       if (strcmp(lastcomm, me->comm)) {
+       static char lastcomm[sizeof(me->comm)];
+       if (strncmp(lastcomm, me->comm, sizeof(lastcomm))) {
                printk(KERN_INFO "%s: vm86 mode not supported on 64 bit kernel\n",
                       me->comm);
-               strcpy(lastcomm, me->comm); 
+               strncpy(lastcomm, me->comm, sizeof(lastcomm)); 
        } 
        return -ENOSYS;
 }

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-12-07 12:06:42 UTC

This is public now. CAN number pending.

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-12-07 23:49:00 UTC

Assigned CAN-2004-1151

Comment 4 Thierry Carrez (RETIRED) gentoo-dev

2004-12-15 02:25:32 UTC

From Andi Kleen :
----------------------------
It overflows 8 bytes into the next, not the previous static variable. That would be 

ffffffff805362e8 b lastcomm.0
ffffffff805362f0 b lastcomm.1
ffffffff805362f8 b count.1

It's probably one of the count variables in fs/compat_ioctl.c overwriting these is completely harmless because they only control a printk.

So in short I think it cannot be exploited in any ways.
----------------------------

Comment 5 Tim Yamin (RETIRED) gentoo-dev

2004-12-19 10:59:35 UTC

Created attachment 46359 [details, diff]
Patch

Comment 6 Tim Yamin (RETIRED) gentoo-dev

2004-12-25 05:05:40 UTC

The following externally maintained sources need this applying:

gentoo-dev-sources -- Adding dsd...
rsbac-dev-sources -- Adding kang...

Comment 7 Daniel Drake (RETIRED) gentoo-dev

2004-12-25 08:16:06 UTC

gentoo-dev-sources was already done :)

Comment 8 Guillaume Destuynder (RETIRED) gentoo-dev

2005-01-13 16:08:01 UTC

rsbac-dev-sources is ok now

Comment 9 Thierry Carrez (RETIRED) gentoo-dev

2005-03-16 03:16:32 UTC

Mass-Ccing kern-sec@gentoo.org to make sure Kernel Security guys know about all
of these...

Comment 10 Tim Yamin (RETIRED) gentoo-dev

2005-03-16 06:04:13 UTC

All fixed, resolving bug.