xorl %eax, %eax

CVE-2011-2209: Linux kernel Alpha osf_sysinfo() Information Leak

leave a comment »

Continuing from the previous vulnerability, this was also reported by Dan Rosenberg and it was located in the code of osf_sysinfo() system call.

The latter system call can be found in arch/alpha/kernel/osf_sys.c file and here is the exact code.

SYSCALL_DEFINE3(osf_sysinfo, int, command, char __user *, buf, long, count)
{
        const char *sysinfo_table[] = {
                utsname()->sysname,
                utsname()->nodename,
                utsname()->release,
                utsname()->version,
                utsname()->machine,
                "alpha",        /* instruction set architecture */
                "dummy",        /* hardware serial number */
                "dummy",        /* hardware manufacturer */
                "dummy",        /* secure RPC domain */
        };
        unsigned long offset;
        const char *res;
        long len, err = -EINVAL;

        offset = command-1;
        if (offset >= ARRAY_SIZE(sysinfo_table)) {
                /* Digital UNIX has a few unpublished interfaces here */
                printk("sysinfo(%d)", command);
                goto out;
        }

        down_read(&uts_sem);
        res = sysinfo_table[offset];
        len = strlen(res)+1;
        if (len > count)
                len = count;
        if (copy_to_user(buf, res, len))
                err = -EFAULT;
        else
                err = 0;
        up_read(&uts_sem);
 out:
        return err;
}

Similarly to the previous one, the length check of the user controlled ‘count’ parameter has a signedness issue. Both ‘len’ and ‘count’ have signed data types meaning that a negative value would bypass this check leading to copy_to_user() call.

The fix was to cast the variables to their equivalent unsigned data types during the check as shown below.

 	len = strlen(res)+1;
-	if (len > count)
+	if ((unsigned long)len > (unsigned long)count)
 		len = count;

Written by xorl

July 13, 2011 at 22:20

Posted in bugs, linux

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s