|
|
| Next: [gentoo-user] baby Horace breathes ! |
| Author |
Message |
Michael Gilbert
External
Since: Aug 07, 2005
Posts: 180
|
 Posted: Thu Nov 05, 2009 7:10 am Post subject: CVE-2009-2584
Archived from groups: linux>kernel (more info?) |
|
|
|
|
| Back to top |
|
 |
Michael Gilbert
External
Since: Aug 07, 2005
Posts: 180
|
Posted: Thu Nov 05, 2009 7:10 am Post subject: Re: CVE-2009-2584 [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?) |
|
|
|
|
| Back to top |
|
|
Justin P. Mattock
External
Since: Jan 23, 2009
Posts: 29
|
|
| Back to top |
|
|
Justin P. Mattock
External
Since: Jan 23, 2009
Posts: 29
|
Posted: Thu Nov 05, 2009 7:10 am Post subject: Re: CVE-2009-2584 [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?) |
|
|
Michael Gilbert wrote:
> On Wed, 04 Nov 2009 14:08:41 -0800, Justin P. Mattock wrote:
>
>> just read something today which might
>> be similar/same as what you might
>> be referring too.
>> http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/
>>
>
> Hi,
>
> Thank you very much for the quick response, but that link refers to
> CVE-2009-3547 (not CVE-2009-2584), which is a different issue
> altogether.
>
> Best wishes,
> Mike
>
>
alright..
wasn't sure or not.
hopefully somebody gives some info
on this(I don't like seeing these things).
Justin P. Mattock
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo.RemoveThis@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/ |
|
| Back to top |
|
|
Jiri Kosina
External
Since: Nov 29, 2006
Posts: 142
|
Posted: Thu Nov 05, 2009 1:10 pm Post subject: Re: CVE-2009-2584 [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?) |
|
|
[ adding some more CCs and including patch below for completness,
obviously it got lost in space ]
On Wed, 4 Nov 2009, Michael Gilbert wrote:
> CVE-2009-2584 [0],[1] has been disclosed for quite a while now (with
> existing exploit code by Brad Spengler [2]). A patch has also been
> available for the same amount of time [3], but as of 2.6.32-rc6 it is
> still not applied. Did this slip through the cracks? Thanks upfront
> for any info on the matter.
[ ... ]
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2584
> [1] http://xorl.wordpress.com/2009/07/21/linux-kernel-sgi-gru-driver-off-b...ne-over
> [2] http://grsecurity.net/~spender/exploit_demo.c
> [3] http://lkml.org/lkml/2009/7/20/348
From: Michael Buesch <mb RemoveThis @bu3sch.de>
Subject: sgi-gru: Fix kernel stack buffer overrun
This patch fixes a kernel stack buffer overrun in the sgi-gru procfs
interface implementation. The "count" parameter to options_write() is user
controlled. So this bug can be used to write '\0' bytes to almost
arbitrary places on the kernel stack.
Cc: stable RemoveThis @kernel.org
Signed-off-by: Michael Buesch <mb RemoveThis @bu3sch.de>
Acked-by: Jack Steiner <steiner RemoveThis @sgi.com>
--- linux-2.6.orig/drivers/misc/sgi-gru/gruprocfs.c
+++ linux-2.6/drivers/misc/sgi-gru/gruprocfs.c
@@ -157,23 +157,23 @@ static int options_show(struct seq_file
seq_printf(s, "0x%lx\n", gru_options);
return 0;
}
static ssize_t options_write(struct file *file, const char __user *userbuf,
size_t count, loff_t *data)
{
unsigned long val;
char buf[80];
+ memset(buf, 0, sizeof(buf));
if (strncpy_from_user(buf, userbuf, sizeof(buf) - 1) < 0)
return -EFAULT;
- buf[count - 1] = '\0';
if (!strict_strtoul(buf, 10, &val))
gru_options = val;
return count;
}
static int cch_seq_show(struct seq_file *file, void *data)
{
long gid = *(long *)data;
int i;
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo RemoveThis @vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/ |
|
| Back to top |
|
|
Linus Torvalds
External
Since: Jan 22, 2007
Posts: 784
|
Posted: Thu Nov 05, 2009 1:10 pm Post subject: Re: CVE-2009-2584 [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?) |
|
|
On Thu, 5 Nov 2009, Linus Torvalds wrote:
> {
> - unsigned long val;
> - char buf[80];
> + char buf[16];
On third thought, this was too aggressive.
Using "0x%16ul" as a format on 64-bit machines is reasonable, so 19 bytes
of buffer is not insane (with the terminating NUL). Of course, it never
used to accept hex numbers, so it's not like it would have worked before,
but the point is that I cut down the buffer unnecessarily strictly.
Can anybody see anything else wrong in that suggested fix?
Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo.RemoveThis@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/ |
|
| Back to top |
|
|
Michael Buesch
External
Since: May 16, 2006
Posts: 132
|
Posted: Thu Nov 05, 2009 1:10 pm Post subject: Re: CVE-2009-2584 [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?) |
|
|
On Thursday 05 November 2009 18:38:21 Linus Torvalds wrote:
> @@ -161,14 +161,15 @@ static int options_show(struct seq_file *s, void *p)
> static ssize_t options_write(struct file *file, const char __user *userbuf,
> size_t count, loff_t *data)
> {
> - unsigned long val;
> - char buf[80];
> + char buf[16];
>
> - if (strncpy_from_user(buf, userbuf, sizeof(buf) - 1) < 0)
> + if (count >= sizeof(buf))
> + return -EINVAL;
> + if (copy_from_user(buf, userbuf, count))
> return -EFAULT;
> - buf[count - 1] = '\0';
> - if (!strict_strtoul(buf, 10, &val))
> - gru_options = val;
> + buf[count] = '\0';
> + if (strict_strtoul(buf, 0, &gru_options))
> + return -EINVAL;
>
> return count;
> }
>
>
Looks OK to me. I can't test it however, as I don't own the hardware.
--
Greetings, Michael.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo.RemoveThis@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/ |
|
| Back to top |
|
|
Roland Dreier
External
Since: Sep 05, 2006
Posts: 460
|
Posted: Thu Nov 05, 2009 2:10 pm Post subject: Re: CVE-2009-2584 [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?) |
|
|
> So here's a second try. I guess the 'return count/-EFAULT' lines were
> actually correct after all. So it wasn't _all_ buggy or insane.
The blank lines seem fine too.
- R.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo.RemoveThis@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/ |
|
| Back to top |
|
|
Jack Steiner
External
Since: Oct 25, 2006
Posts: 10
|
Posted: Thu Nov 05, 2009 2:10 pm Post subject: Re: CVE-2009-2584 [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?) |
|
|
On Thu, Nov 05, 2009 at 06:47:33PM +0100, Michael Buesch wrote:
> On Thursday 05 November 2009 18:38:21 Linus Torvalds wrote:
> > @@ -161,14 +161,15 @@ static int options_show(struct seq_file *s, void *p)
> > static ssize_t options_write(struct file *file, const char __user *userbuf,
> > size_t count, loff_t *data)
> > {
> > - unsigned long val;
> > - char buf[80];
> > + char buf[16];
> >
> > - if (strncpy_from_user(buf, userbuf, sizeof(buf) - 1) < 0)
> > + if (count >= sizeof(buf))
> > + return -EINVAL;
> > + if (copy_from_user(buf, userbuf, count))
> > return -EFAULT;
> > - buf[count - 1] = '\0';
> > - if (!strict_strtoul(buf, 10, &val))
> > - gru_options = val;
> > + buf[count] = '\0';
> > + if (strict_strtoul(buf, 0, &gru_options))
> > + return -EINVAL;
> >
> > return count;
> > }
> >
> >
>
> Looks OK to me. I can't test it however, as I don't own the hardware.
"buf" should be larger than 16. The string could be "0x" + 16 characters.
I'll verify the the rest.
We have the hardware 
--- jack
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo RemoveThis @vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/ |
|
| Back to top |
|
|
Linus Torvalds
External
Since: Jan 22, 2007
Posts: 784
|
Posted: Thu Nov 05, 2009 2:10 pm Post subject: Re: CVE-2009-2584 [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?) |
|
|
On Thu, 5 Nov 2009, Michael Buesch wrote:
>
> Looks OK to me. I can't test it however, as I don't own the hardware.
Heh. Even the people who wanted to write exploit examples had the same
small problem. I doubt it really matters for anybody.
I'm committing it, just because I don't think it can really be any worse
than the status quo. But I'll happily take further patches, especially
from anybody who actually has access to the hardware.
Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo RemoveThis @vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/ |
|
| Back to top |
|
|
Linus Torvalds
External
Since: Jan 22, 2007
Posts: 784
|
Posted: Thu Nov 05, 2009 2:10 pm Post subject: Re: CVE-2009-2584 [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?) |
|
|
On Thu, 5 Nov 2009, Jack Steiner wrote:
>
> "buf" should be larger than 16. The string could be "0x" + 16 characters.
I have 'char buf[20];' in my tree now.
> I'll verify the the rest.
>
> We have the hardware
Thanks. I've committed it locally, but if I get a tested-by or an ack (or
a fix) soon enough, I'll update the commit before I push it out.
Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo.TakeThisOut@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/ |
|
| Back to top |
|
|
Jack Steiner
External
Since: Oct 25, 2006
Posts: 10
|
Posted: Thu Nov 05, 2009 2:10 pm Post subject: Re: CVE-2009-2584 [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?) |
|
|
On Thu, Nov 05, 2009 at 10:22:43AM -0800, Linus Torvalds wrote:
>
>
> On Thu, 5 Nov 2009, Jack Steiner wrote:
> >
> > "buf" should be larger than 16. The string could be "0x" + 16 characters.
>
> I have 'char buf[20];' in my tree now.
>
> > I'll verify the the rest.
> >
> > We have the hardware
>
> Thanks. I've committed it locally, but if I get a tested-by or an ack (or
> a fix) soon enough, I'll update the commit before I push it out.
Tested on real hardware.
Acked-by: Jack Steiner <steiner.RemoveThis@sgi.com>
--- jack
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo.RemoveThis@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/ |
|
| Back to top |
|
|
|
|
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
| |
|
|
Linux