xorl %eax, %eax

CVE-2011-2208: Linux kernel Alpha osf_getdomainname() Information Leak

leave a comment »

This was the first of a series of vulnerabilities on Alpha architecture reported by Dan Rosenberg (aka bliss). The code for the osf_getdomainname() system call for the Alpha processors resides in arch/alpha/kernel/osf_sys.c file.
Below is the code of the aforementioned system call.

/*
 * For compatibility with OSF/1 only.  Use utsname(2) instead.
 */
SYSCALL_DEFINE2(osf_getdomainname, char __user *, name, int, namelen)
{
        unsigned len;
        int i;

        if (!access_ok(VERIFY_WRITE, name, namelen))
                return -EFAULT;

        len = namelen;
        if (namelen > 32)
                len = 32;

        down_read(&uts_sem);
        for (i = 0; i < len; ++i) {
                __put_user(utsname()->domainname[i], name + i);
                if (utsname()->domainname[i] == '\0')
                        break;
        }
        up_read(&uts_sem);

        return 0;
}

As you can see, the user controlled ‘namelen’ parameter which is a signed integer is checked in order to avoid leaking kernel memory to user space through the subsequent call to __put_user() kernel routine.
However, since this is a signed variable, an attacker could pass a negative integer that will bypass the check and leak huge amount of kernel memory.

The fix was to check the unsigned integer ‘len’ which during the check is initialized with ‘namelen’ value.

 	len = namelen;
-	if (namelen > 32)
+	if (len > 32)
 		len = 32;

Written by xorl

July 13, 2011 at 22:15

Posted in bugs, linux

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s