CVE-2011-2209: Linux kernel Alpha osf_sysinfo() Information Leak
Continuing from the previous vulnerability, this was also reported by Dan Rosenberg and it was located in the code of osf_sysinfo() system call.
The latter system call can be found in arch/alpha/kernel/osf_sys.c file and here is the exact code.
SYSCALL_DEFINE3(osf_sysinfo, int, command, char __user *, buf, long, count) { const char *sysinfo_table[] = { utsname()->sysname, utsname()->nodename, utsname()->release, utsname()->version, utsname()->machine, "alpha", /* instruction set architecture */ "dummy", /* hardware serial number */ "dummy", /* hardware manufacturer */ "dummy", /* secure RPC domain */ }; unsigned long offset; const char *res; long len, err = -EINVAL; offset = command-1; if (offset >= ARRAY_SIZE(sysinfo_table)) { /* Digital UNIX has a few unpublished interfaces here */ printk("sysinfo(%d)", command); goto out; } down_read(&uts_sem); res = sysinfo_table[offset]; len = strlen(res)+1; if (len > count) len = count; if (copy_to_user(buf, res, len)) err = -EFAULT; else err = 0; up_read(&uts_sem); out: return err; }
Similarly to the previous one, the length check of the user controlled ‘count’ parameter has a signedness issue. Both ‘len’ and ‘count’ have signed data types meaning that a negative value would bypass this check leading to copy_to_user() call.
The fix was to cast the variables to their equivalent unsigned data types during the check as shown below.
len = strlen(res)+1; - if (len > count) + if ((unsigned long)len > (unsigned long)count) len = count;
Leave a comment