CVE-2011-2209: Linux kernel Alpha osf_sysinfo() Information Leak
Continuing from the previous vulnerability, this was also reported by Dan Rosenberg and it was located in the code of osf_sysinfo() system call.
The latter system call can be found in arch/alpha/kernel/osf_sys.c file and here is the exact code.
SYSCALL_DEFINE3(osf_sysinfo, int, command, char __user *, buf, long, count)
{
const char *sysinfo_table[] = {
utsname()->sysname,
utsname()->nodename,
utsname()->release,
utsname()->version,
utsname()->machine,
"alpha", /* instruction set architecture */
"dummy", /* hardware serial number */
"dummy", /* hardware manufacturer */
"dummy", /* secure RPC domain */
};
unsigned long offset;
const char *res;
long len, err = -EINVAL;
offset = command-1;
if (offset >= ARRAY_SIZE(sysinfo_table)) {
/* Digital UNIX has a few unpublished interfaces here */
printk("sysinfo(%d)", command);
goto out;
}
down_read(&uts_sem);
res = sysinfo_table[offset];
len = strlen(res)+1;
if (len > count)
len = count;
if (copy_to_user(buf, res, len))
err = -EFAULT;
else
err = 0;
up_read(&uts_sem);
out:
return err;
}
Similarly to the previous one, the length check of the user controlled ‘count’ parameter has a signedness issue. Both ‘len’ and ‘count’ have signed data types meaning that a negative value would bypass this check leading to copy_to_user() call.
The fix was to cast the variables to their equivalent unsigned data types during the check as shown below.
len = strlen(res)+1; - if (len > count) + if ((unsigned long)len > (unsigned long)count) len = count;
xorl %eax, %eax 
Leave a comment