Bug 113100 - CAN-2003-0465 kernel strncpy padding
CAN-2003-0465 kernel strncpy padding
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: kernel (Show other bugs)
3.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Ernie Petrides
Brian Brock
: Security
Depends On:
Blocks: 107562
  Show dependency treegraph
 
Reported: 2004-01-08 10:29 EST by Mark J. Cox (Product Security)
Modified: 2007-11-30 17:07 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-05-11 21:08:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
The s390,s390x test fix (1.20 KB, patch)
2004-01-28 22:13 EST, Pete Zaitcev
no flags Details | Diff
ppc64 patch (889 bytes, patch)
2004-01-29 07:18 EST, Julie DeWandel
no flags Details | Diff
Correct s390 version from Martin (2.6) (1.87 KB, patch)
2004-01-29 11:17 EST, Pete Zaitcev
no flags Details | Diff
Patch for generic kernel strncpy (788 bytes, patch)
2004-01-29 13:34 EST, Jim Paradis
no flags Details | Diff

  None (edit)
Description Mark J. Cox (Product Security) 2004-01-08 10:29:14 EST
CAN-2003-0465 The kernel strncpy function in Linux 2.4 and 2.5 does not
%NUL pad the buffer on architectures other than x86, as opposed to the
expected behavior of strncpy as implemented in libc, which could lead
to information leaks.
http://marc.theaimsgroup.com/?l=linux-kernel&m=105796021120436&w=2
http://marc.theaimsgroup.com/?l=linux-kernel&m=105796415223490&w=2
2.4: 1.1063.4.25 paulus@samba.org|ChangeSet|20030812235114|14554
[hence fixed upstream in 2.4.22]

Not fixed up to 2.4.21-7.EL
Comment 5 Pete Zaitcev 2004-01-28 22:13:49 EST
Created attachment 97323 [details]
The s390,s390x test fix
Comment 7 Julie DeWandel 2004-01-29 07:18:00 EST
Created attachment 97329 [details]
ppc64 patch

Thought I'd follow Pete's lead and attach the ppc64 patch here as well.
Comment 8 Pete Zaitcev 2004-01-29 11:17:38 EST
Created attachment 97337 [details]
Correct s390 version from Martin (2.6)
Comment 9 Jim Paradis 2004-01-29 13:34:28 EST
Created attachment 97343 [details]
Patch for generic kernel strncpy

Amazingly enough, x86_64 doesn't have arch-specific string routines; it uses
the generic routines in lib (this is true upstream as well, for both 2.4 and
2.6)

Attached is a patch to drop-in the 2.6 version of strncpy, which does the right
thing.
Comment 10 Jason Baron 2004-01-29 13:41:13 EST
ia64 uses the generic routines as well.
Comment 11 Ernie Petrides 2004-02-11 01:02:33 EST
The fixes required to make the x86_64, ia64, ppc64, s390, and s390x
versions of strncpy() zero-pad the destination buffer were committed
to the RHEL3 U2 patch pool tonight.  They will first be available in
kernel version 2.4.21-9.7.EL.
Comment 12 John Flanagan 2004-05-11 21:08:15 EDT
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2004-188.html

Note You need to log in before you can comment on or make changes to this bug.