Bug 181879

Summary: CVE-2006-0457 Key syscalls use get length of strings before copying, and assume terminating NUL copied from userspace
Product: Red Hat Enterprise Linux 4 Reporter: David Howells <dhowells>
Component: kernelAssignee: David Howells <dhowells>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: high Docs Contact:
Priority: medium    
Version: 4.0CC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: reported=20060217,public=20060203,impact=important
Fixed In Version: RHSA-2006-0575 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-08-10 22:20:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 181409    
Attachments:
Description Flags
Fix use of strnlen_user() in key syscalls and make the maximum string lengths correct none

Description David Howells 2006-02-17 13:24:44 UTC 
Description of problem:      
    
The add_key(), request_key() syscalls and certain keyctl() functions take   
string arguments from userspace. They determine the length of the string and   
then copy the string including its terminal NUL from userspace without   
checking the NUL is still there.   
   
Patch submitted upstream for this already.   
  
This patch also fixes the maximum string lengths for types (30 -> 31),  
descriptions (4094 -> 4095) and callout data (4094 -> 4095) fetched from  
userspace, given that strnlen_user() includes the NUL char in its count.  
  
Version-Release number of selected component (if applicable):      
      
      
How reproducible:      
  
The first part should be 100%, but it's very hard to reproduce as it requires  
two threads to interfere with each other during a very small window.  
  
The second part is 100%.  
  
Steps to Reproduce:  
  
Second part:  
1. keyctl add aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a a @p  
2. keyctl add aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a a @p  
3. PAGE_SIZE=`getconf PAGESIZE`  
4. k=`for ((i=0; i<$((PAGE_SIZE-1)); i++)); do echo -n a; done`  
5. keyctl newring $k @p  
6. keyctl newring a$k @p  
        
Results:      
      
Step 1 should fail with ENODEV and step 2 with EINVAL. Before the patch, both  
will fail with ENODEV anyway, no matter where the error is taken.  
  
Step 5 should work, and step 6 should fail with EINVAL. Note that if PAGE_SIZE  
is greater than the space quota size (IA64 for example), step 5 will fail with  
EDQUOT instead of working. Before the patch is applied, both will fail with  
EINVAL.  
  
Changing the $((PAGE_SIZE-1)) to a $((PAGE_SIZE-2)) in step 4 and repeating  
step 5 will result in step 5 either working or generating EDQUOT, depending on  
the arch.  
 
Additional information: 
 
CVE-2006-0457
Comment 1 David Howells 2006-02-17 13:24:45 UTC 
Created attachment 124815 [details]
Fix use of strnlen_user() in key syscalls and make the maximum string lengths correct
Comment 2 Jason Baron 2006-03-24 22:47:20 UTC 
committed in stream U4 build 34.8. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/
Comment 5 Mike Gahagan 2006-06-19 21:40:00 UTC 
test results from an x86_64 system:

2.6.9-22:
[mgahagan@dhcp59-204 181879]$ keyctl add aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a a @p
add_key: No such device
[mgahagan@dhcp59-204 181879]$ keyctl add aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a a @p
add_key: No such device
[mgahagan@dhcp59-204 181879]$ export PAGE_SIZE=`getconf PAGESIZE`
[mgahagan@dhcp59-204 181879]$ export k=`for ((i=0; i<$((PAGE_SIZE-1)); i++)); do
echo -n a; done`
[mgahagan@dhcp59-204 181879]$ keyctl newring $k @p
add_key: Invalid argument
[mgahagan@dhcp59-204 181879]$ keyctl newring a$k @p
add_key: Invalid argument
[mgahagan@dhcp59-204 181879]$ export k=`for ((i=0; i<$((PAGE_SIZE-2)); i++)); do
echo -n a; done`
[mgahagan@dhcp59-204 181879]$ keyctl newring $k @p
28
[mgahagan@dhcp59-204 181879]$ keyctl newring a$k @p
add_key: Invalid argument
[mgahagan@dhcp59-204 181879]$ uname -a
Linux dhcp59-204.rdu.redhat.com 2.6.9-22.ELsmp #1 SMP Mon Sep 19 18:00:54 EDT
2005 x86_64 x86_64 x86_64 GNU/Linux

2.6.9-39.EL:
[mgahagan@dhcp59-204 181879]$ cat results-2.6.9-39.ELsmp
[mgahagan@dhcp59-204 181879]$ uname -a
Linux dhcp59-204.rdu.redhat.com 2.6.9-39.ELsmp #1 SMP Thu Jun 1 18:01:55 EDT
2006 x86_64 x86_64 x86_64 GNU/Linux
[mgahagan@dhcp59-204 181879]$ keyctl add aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a a @p
add_key: No such device
[mgahagan@dhcp59-204 181879]$ keyctl add aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a a @p
add_key: Invalid argument
[mgahagan@dhcp59-204 181879]$
[mgahagan@dhcp59-204 181879]$ getconf PAGESIZE
4096
[mgahagan@dhcp59-204 181879]$ export PAGE_SIZE=`getconf PAGESIZE`
[mgahagan@dhcp59-204 181879]$ export k=`for ((i=0; i<$((PAGE_SIZE-1)); i++)); do
echo -n a; done`
[mgahagan@dhcp59-204 181879]$ keyctl newring $k @p
42
[mgahagan@dhcp59-204 181879]$ keyctl newring a$k @p
add_key: Invalid argument
[mgahagan@dhcp59-204 181879]$ export k=`for ((i=0; i<$((PAGE_SIZE-2)); i++)); do
echo -n a; done`
[mgahagan@dhcp59-204 181879]$  keyctl newring $k @p
44
[mgahagan@dhcp59-204 181879]$ keyctl newring a$k @p
46
Comment 6 Mike Gahagan 2006-06-19 22:04:09 UTC 
ppc results (after patch applied):

.qa.[root@ppcp-4as 181879]# keyctl add aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a a @p
add_key: No such device
.qa.[root@ppcp-4as 181879]# keyctl add aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a a @p
add_key: Invalid argument
.qa.[root@ppcp-4as 181879]# export PAGE_SIZE=`getconf PAGESIZE`
.qa.[root@ppcp-4as 181879]# export k=`for ((i=0; i<$((PAGE_SIZE-1)); i++)); do
> echo -n a; done`
.qa.[root@ppcp-4as 181879]# keyctl newring $k @p
85
.qa.[root@ppcp-4as 181879]# keyctl newring a$k @p
add_key: Invalid argument
.qa.[root@ppcp-4as 181879]# export k=`for ((i=0; i<$((PAGE_SIZE-2)); i++)); do
> echo -n a; done`
.qa.[root@ppcp-4as 181879]# keyctl newring $k @p
87
.qa.[root@ppcp-4as 181879]# keyctl newring a$k @p
89
.qa.[root@ppcp-4as 181879]# uname -a
Linux ppcp-4as.lab.boston.redhat.com 2.6.9-39.EL #1 SMP Thu Jun 1 17:52:36
EDT2006 ppc64 ppc64 ppc64 GNU/Linux
Comment 8 Red Hat Bugzilla 2006-08-10 22:20:29 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0575.html