xorl %eax, %eax

CVE-2011-2210: Linux kernel Alpha osf_getsysinfo() Information Leak

leave a comment »

Another vulnerability reported by Dan Rosenberg (aka bliss) for the Alpha architecture in Linux kernel. This time in osf_getsysinfo() system call that you see below.

SYSCALL_DEFINE5(osf_getsysinfo, unsigned long, op, void __user *, buffer,
                unsigned long, nbytes, int __user *, start, void __user *, arg)
{
        unsigned long w;
        struct percpu_struct *cpu;

        switch (op) {
   ...
        case GSI_GET_HWRPB:
                if (nbytes < sizeof(*hwrpb))
                        return -EINVAL;
                if (copy_to_user(buffer, hwrpb, nbytes) != 0)
                        return -EFAULT;
                return 1;

        default:
                break;
        }

        return -EOPNOTSUPP;
}

In the above operation (GSI_GET_HWRPB) there is an invalid logic mistake of checking that the requested number of bytes is less than the size of source buffer to return with error instead of checking that the requested number of Bytes is greater than buffer’s size.

To fix this bug the following patch was applied.

 
 	case GSI_GET_HWRPB:
-		if (nbytes < sizeof(*hwrpb))
+		if (nbytes > sizeof(*hwrpb))
 			return -EINVAL;
 		if (copy_to_user(buffer, hwrpb, nbytes) != 0)
 			return -EFAULT;

Written by xorl

July 17, 2011 at 17:05

Posted in bugs, linux

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s