Bug 504081

Summary: kernel: TPM: get_event_name stack corruption [mrg-1.2]
Product: Red Hat Enterprise MRG Reporter: Eugene Teo (Security Response) <eteo>
Component: realtime-kernelAssignee: Red Hat Real Time Maintenance <rt-maint>
Status: CLOSED NOTABUG QA Contact: David Sommerseth <davids>
Severity: high Docs Contact:
Priority: high    
Version: 1.2CC: bhu, eteo, jkacur, lgoncalv, ovasik
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 503902 Environment:
Last Closed: 2009-09-22 10:46:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 503902    
Bug Blocks:    

Description Eugene Teo (Security Response) 2009-06-04 05:25:10 UTC 
+++ This bug was initially created as a clone of Bug #503902 +++

Description of problem:
get_event_name uses sprintf to fill a buffer declared on the stack.  It fills the buffer 2 bytes at a time.  What the code doesn't take into account is that sprintf(buf, "%02x", data) actually writes 3 bytes.  2 bytes for the data and then it nul terminates the string.  Since we declare buf to be 40 characters long and then we write 40 bytes of data into buf sprintf is going to write 41 characters.  The fix is to leave room in buf for the nul terminator.

Upstream commit:
http://git.kernel.org/linus/fbaa58696cef848de818768783ef185bd3f05158

Note: this is not addressed in 2.6.29.4.
Comment 1 Eugene Teo (Security Response) 2009-09-22 10:46:04 UTC 
This is fixed in 2.6.31.