Muehlenhoff has uploaded a new change for review. https://gerrit.wikimedia.org/r/316614
Change subject: Add patch for CVE-2016-7042 ...................................................................... Add patch for CVE-2016-7042 Change-Id: I92d77e50770ba459b99e4ba434cc810bc1b4f45f --- M debian/changelog A debian/patches/bugfix/all/CVE-2016-7042.patch M debian/patches/series 3 files changed, 62 insertions(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/debs/linux44 refs/changes/14/316614/1 diff --git a/debian/changelog b/debian/changelog index e279c41..652b851 100644 --- a/debian/changelog +++ b/debian/changelog @@ -19,8 +19,10 @@ https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.24 * Update to 4.4.25: https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.25 + * Add patch by Vladis Dronov to address CVE-2016-7042 (not yet + merged upstream) - -- Moritz Muehlenhoff <mmuhlenh...@wikimedia.org> Mon, 17 Oct 2016 10:00:33 +0200 + -- Moritz Muehlenhoff <mmuhlenh...@wikimedia.org> Tue, 18 Oct 2016 21:33:33 +0200 linux (4.4.2-3+wmf5) jessie-wikimedia; urgency=medium diff --git a/debian/patches/bugfix/all/CVE-2016-7042.patch b/debian/patches/bugfix/all/CVE-2016-7042.patch new file mode 100644 index 0000000..5257ea9 --- /dev/null +++ b/debian/patches/bugfix/all/CVE-2016-7042.patch @@ -0,0 +1,58 @@ + KEYS: Fix short sprintf buffer in /proc/keys show function + + Fix a short sprintf buffer in proc_keys_show(). If the gcc stack protector + is turned on, this can cause a panic due to stack corruption. + + The problem is that xbuf[] is not big enough to hold a 64-bit timeout + rendered as weeks: + + (gdb) p 0xffffffffffffffffULL/(60*60*24*7) + $2 = 30500568904943 + + That's 14 chars plus NUL, not 11 chars plus NUL. + + Expand the buffer to 16 chars. + + I think the unpatched code apparently works if the stack-protector is not + enabled because on a 32-bit machine the buffer won't be overflowed and on a + 64-bit machine there's a 64-bit aligned pointer at one side and an int that + isn't checked again on the other side. + + The panic incurred looks something like: + + Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff81352ebe + CPU: 0 PID: 1692 Comm: reproducer Not tainted 4.7.2-201.fc24.x86_64 #1 + Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 + 0000000000000086 00000000fbbd2679 ffff8800a044bc00 ffffffff813d941f + ffffffff81a28d58 ffff8800a044bc98 ffff8800a044bc88 ffffffff811b2cb6 + ffff880000000010 ffff8800a044bc98 ffff8800a044bc30 00000000fbbd2679 + Call Trace: + [<ffffffff813d941f>] dump_stack+0x63/0x84 + [<ffffffff811b2cb6>] panic+0xde/0x22a + [<ffffffff81352ebe>] ? proc_keys_show+0x3ce/0x3d0 + [<ffffffff8109f7f9>] __stack_chk_fail+0x19/0x30 + [<ffffffff81352ebe>] proc_keys_show+0x3ce/0x3d0 + [<ffffffff81350410>] ? key_validate+0x50/0x50 + [<ffffffff8134db30>] ? key_default_cmp+0x20/0x20 + [<ffffffff8126b31c>] seq_read+0x2cc/0x390 + [<ffffffff812b6b12>] proc_reg_read+0x42/0x70 + [<ffffffff81244fc7>] __vfs_read+0x37/0x150 + [<ffffffff81357020>] ? security_file_permission+0xa0/0xc0 + [<ffffffff81246156>] vfs_read+0x96/0x130 + [<ffffffff81247635>] SyS_read+0x55/0xc0 + [<ffffffff817eb872>] entry_SYSCALL_64_fastpath+0x1a/0xa4 + + Reported-by: Ondrej Kozina <okoz...@redhat.com> + Signed-off-by: David Howells <dhowe...@redhat.com> + Tested-by: Ondrej Kozina <okoz...@redhat.com> +--- a/security/keys/proc.c ++++ a/security/keys/proc.c +@@ -181,7 +181,7 @@ static int proc_keys_show(struct seq_file *m, void *v) + struct timespec now; + unsigned long timo; + key_ref_t key_ref, skey_ref; +- char xbuf[12]; ++ char xbuf[16]; + int rc; + + struct keyring_search_context ctx = { diff --git a/debian/patches/series b/debian/patches/series index 287c245..380b702 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -126,3 +126,4 @@ bugfix/all/stable-4.4.23.patch bugfix/all/stable-4.4.24.patch bugfix/all/stable-4.4.25.patch +bugfix/all/CVE-2016-7042.patch -- To view, visit https://gerrit.wikimedia.org/r/316614 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I92d77e50770ba459b99e4ba434cc810bc1b4f45f Gerrit-PatchSet: 1 Gerrit-Project: operations/debs/linux44 Gerrit-Branch: master Gerrit-Owner: Muehlenhoff <mmuhlenh...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits