blob: 22f4ab3ce9bc7aa6c5ad923618e27429300e03e7 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
Description: trace: resolve stack corruption due to string copy
References:
https://source.android.com/security/bulletin/2017-05-01
https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=2161ae9a70b12cf18ac8e5952a20161ffbccb477
https://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace.git/commit?id=e09e28671cda63e6308b31798b997639120e2a21
Notes:
jmm> From Android security bulletin, not sure if it's also an issue with mainline
bwh> trace_find_cmdline() copies a command name out of the cache
bwh> (saved_cmdlines) that was first copied from task_struct::comm.
bwh> That first copy is done without holding the task lock, which can
bwh> result in reading a garbled name. However, it is also done with
bwh> memcpy(), so it always includes the last byte which is always
bwh> written as 0. So this seems like a theoretical issue, but maybe
bwh> I'm missing something. Also, the fix sets a maximum length 1
bwh> byte too short.
bwh> The upstream commit message seems to agree with this.
carnil> The CVE has been REJECTED, cf.
carnil> https://marc.info/?l=oss-security&m=150703005326252&w=2
carnil> keeping the entry in 'retired' in case we need to reevaluate/prove
carnil> status.
Bugs:
upstream: released (4.12-rc1) [e09e28671cda63e6308b31798b997639120e2a21]
4.9-upstream-stable: released (4.9.269) [27b1e95a936e23a9328e1f318c199d3946352531]
3.16-upstream-stable: released (3.16.44) [a1141b19b23a0605d46f3fab63fd2d76207096c4]
3.2-upstream-stable: released (3.2.89) [e39e64193a8a611d11d4c62579a7246c1af70d1c]
sid: released (4.9.30-1) [bugfix/all/tracing-Use-strlcpy-instead-of-strcpy-in-__trace_fin.patch]
4.9-stretch-security: N/A "Fixed before branching point"
3.16-jessie-security: released (3.16.43-2+deb8u1) [bugfix/all/tracing-Use-strlcpy-instead-of-strcpy-in-__trace_fin.patch]
3.2-wheezy-security: released (3.2.89-1)
|