[MediaWiki-commits] [Gerrit] operations...linux44[master]: Add patch for CVE-2016-7042

Muehlenhoff (Code Review) Tue, 18 Oct 2016 12:14:33 -0700

Muehlenhoff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/316614


Change subject: Add patch for CVE-2016-7042
......................................................................

Add patch for CVE-2016-7042

Change-Id: I92d77e50770ba459b99e4ba434cc810bc1b4f45f
---
M debian/changelog
A debian/patches/bugfix/all/CVE-2016-7042.patch
M debian/patches/series
3 files changed, 62 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/debs/linux44 
refs/changes/14/316614/1

diff --git a/debian/changelog b/debian/changelog
index e279c41..652b851 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -19,8 +19,10 @@
     https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.24
   * Update to 4.4.25:
     https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.25
+  * Add patch by Vladis Dronov to address CVE-2016-7042 (not yet
+    merged upstream)
 
- -- Moritz Muehlenhoff <mmuhlenh...@wikimedia.org>  Mon, 17 Oct 2016 10:00:33 
+0200
+ -- Moritz Muehlenhoff <mmuhlenh...@wikimedia.org>  Tue, 18 Oct 2016 21:33:33 
+0200
 
 linux (4.4.2-3+wmf5) jessie-wikimedia; urgency=medium
 
diff --git a/debian/patches/bugfix/all/CVE-2016-7042.patch 
b/debian/patches/bugfix/all/CVE-2016-7042.patch
new file mode 100644
index 0000000..5257ea9
--- /dev/null
+++ b/debian/patches/bugfix/all/CVE-2016-7042.patch
@@ -0,0 +1,58 @@
+    KEYS: Fix short sprintf buffer in /proc/keys show function
+    
+    Fix a short sprintf buffer in proc_keys_show().  If the gcc stack protector
+    is turned on, this can cause a panic due to stack corruption.
+    
+    The problem is that xbuf[] is not big enough to hold a 64-bit timeout
+    rendered as weeks:
+    
+       (gdb) p 0xffffffffffffffffULL/(60*60*24*7)
+       $2 = 30500568904943
+    
+    That's 14 chars plus NUL, not 11 chars plus NUL.
+    
+    Expand the buffer to 16 chars.
+    
+    I think the unpatched code apparently works if the stack-protector is not
+    enabled because on a 32-bit machine the buffer won't be overflowed and on a
+    64-bit machine there's a 64-bit aligned pointer at one side and an int that
+    isn't checked again on the other side.
+    
+    The panic incurred looks something like:
+    
+    Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: 
ffffffff81352ebe
+    CPU: 0 PID: 1692 Comm: reproducer Not tainted 4.7.2-201.fc24.x86_64 #1
+    Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
+     0000000000000086 00000000fbbd2679 ffff8800a044bc00 ffffffff813d941f
+     ffffffff81a28d58 ffff8800a044bc98 ffff8800a044bc88 ffffffff811b2cb6
+     ffff880000000010 ffff8800a044bc98 ffff8800a044bc30 00000000fbbd2679
+    Call Trace:
+     [<ffffffff813d941f>] dump_stack+0x63/0x84
+     [<ffffffff811b2cb6>] panic+0xde/0x22a
+     [<ffffffff81352ebe>] ? proc_keys_show+0x3ce/0x3d0
+     [<ffffffff8109f7f9>] __stack_chk_fail+0x19/0x30
+     [<ffffffff81352ebe>] proc_keys_show+0x3ce/0x3d0
+     [<ffffffff81350410>] ? key_validate+0x50/0x50
+     [<ffffffff8134db30>] ? key_default_cmp+0x20/0x20
+     [<ffffffff8126b31c>] seq_read+0x2cc/0x390
+     [<ffffffff812b6b12>] proc_reg_read+0x42/0x70
+     [<ffffffff81244fc7>] __vfs_read+0x37/0x150
+     [<ffffffff81357020>] ? security_file_permission+0xa0/0xc0
+     [<ffffffff81246156>] vfs_read+0x96/0x130
+     [<ffffffff81247635>] SyS_read+0x55/0xc0
+     [<ffffffff817eb872>] entry_SYSCALL_64_fastpath+0x1a/0xa4
+    
+    Reported-by: Ondrej Kozina <okoz...@redhat.com>
+    Signed-off-by: David Howells <dhowe...@redhat.com>
+    Tested-by: Ondrej Kozina <okoz...@redhat.com>
+--- a/security/keys/proc.c     
++++ a/security/keys/proc.c     
+@@ -181,7 +181,7 @@ static int proc_keys_show(struct seq_file *m, void *v)
+       struct timespec now;
+       unsigned long timo;
+       key_ref_t key_ref, skey_ref;
+-      char xbuf[12];
++      char xbuf[16];
+       int rc;
+ 
+       struct keyring_search_context ctx = {
diff --git a/debian/patches/series b/debian/patches/series
index 287c245..380b702 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -126,3 +126,4 @@
 bugfix/all/stable-4.4.23.patch
 bugfix/all/stable-4.4.24.patch
 bugfix/all/stable-4.4.25.patch
+bugfix/all/CVE-2016-7042.patch

-- 
To view, visit https://gerrit.wikimedia.org/r/316614
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I92d77e50770ba459b99e4ba434cc810bc1b4f45f
Gerrit-PatchSet: 1
Gerrit-Project: operations/debs/linux44
Gerrit-Branch: master
Gerrit-Owner: Muehlenhoff <mmuhlenh...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations...linux44[master]: Add patch for CVE-2016-7042

Reply via email to