Description: trace: resolve stack corruption due to string copy References: https://source.android.com/security/bulletin/2017-05-01 https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=2161ae9a70b12cf18ac8e5952a20161ffbccb477 https://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace.git/commit?id=e09e28671cda63e6308b31798b997639120e2a21 Notes: jmm> From Android security bulletin, not sure if it's also an issue with mainline bwh> trace_find_cmdline() copies a command name out of the cache bwh> (saved_cmdlines) that was first copied from task_struct::comm. bwh> That first copy is done without holding the task lock, which can bwh> result in reading a garbled name. However, it is also done with bwh> memcpy(), so it always includes the last byte which is always bwh> written as 0. So this seems like a theoretical issue, but maybe bwh> I'm missing something. Also, the fix sets a maximum length 1 bwh> byte too short. bwh> The upstream commit message seems to agree with this. carnil> The CVE has been REJECTED, cf. carnil> https://marc.info/?l=oss-security&m=150703005326252&w=2 carnil> keeping the entry in 'retired' in case we need to reevaluate/prove carnil> status. Bugs: upstream: released (4.12-rc1) [e09e28671cda63e6308b31798b997639120e2a21] 4.9-upstream-stable: released (4.9.269) [27b1e95a936e23a9328e1f318c199d3946352531] 3.16-upstream-stable: released (3.16.44) [a1141b19b23a0605d46f3fab63fd2d76207096c4] 3.2-upstream-stable: released (3.2.89) [e39e64193a8a611d11d4c62579a7246c1af70d1c] sid: released (4.9.30-1) [bugfix/all/tracing-Use-strlcpy-instead-of-strcpy-in-__trace_fin.patch] 4.9-stretch-security: N/A "Fixed before branching point" 3.16-jessie-security: released (3.16.43-2+deb8u1) [bugfix/all/tracing-Use-strlcpy-instead-of-strcpy-in-__trace_fin.patch] 3.2-wheezy-security: released (3.2.89-1)