Bug 181881

Summary: CVE-2006-0456 s390/s390x strnlen_user() is broken
Product: Red Hat Enterprise Linux 4 Reporter: David Howells <dhowells>
Component: kernelAssignee: Jan Glauber <jglauber>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: high Docs Contact:
Priority: medium    
Version: 4.0CC: jbaron, security-response-team, zaitcev
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: s390   
OS: Linux   
Whiteboard: reported=20060217,source=redhat,impact=important,embargo=yes,public=20060307
Fixed In Version: RHSA-2006-0575 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-08-10 22:20:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 181409    
Attachments:
Description Flags
Fix strnlen_user() on s390 and s390x none

Description David Howells 2006-02-17 13:40:24 UTC 
Description of problem:  
  
strnlen_user() on s390 and s390x does not return a value greater than maxlen  
if the string is looking at is longer than maxlen; instead it returns maxlen.  
  
This means things that use it (such as add_key, request_key and keyctl) may  
assume that strnlen_user() actually worked, and the string included a NUL  
character, which they then copy (a poor assumption fixed in bug 181879 for the  
key management code).  
  
Version-Release number of selected component (if applicable):  
  
  
How reproducible:  
 
100% 
  
Steps to Reproduce:  
1. PAGE_SIZE=`getconf PAGESIZE` 
2. k=`for ((i=0; i<$((PAGE_SIZE+10)); i++)); do echo -n a; done` 
3. keyctl newring $k @s 
4. cat /proc/keys 
    
Actual results:  
  
Step 3 should fail with EINVAL, but doesn't. 
 
Step 4 shows a key with a description of 4096 'a' characters, and it may have 
some random rubbish on the end or may crash because the string is 
unterminated. 
  
Expected results:  
  
Step 3 should give EINVAL. 
 
Additional info: 
 
This affects both s390 and s390x architectures. 
 
Since it's an arch problem, it may affect other things besides the key 
management syscalls too. 
 
strncpy_from_user() looks like it may also be affected.
Comment 1 David Howells 2006-02-17 13:40:25 UTC 
Created attachment 124816 [details]
Fix strnlen_user() on s390 and s390x
Comment 2 David Howells 2006-02-17 13:41:19 UTC 
CVE-2006-0456
Comment 3 Jason Baron 2006-03-22 15:07:46 UTC 
committed in stream U4 build 34.6. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/
Comment 7 Red Hat Bugzilla 2006-08-10 22:20:32 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0575.html