Bug 181879 - CVE-2006-0457 Key syscalls use get length of strings before copying, and assume terminating NUL copied from userspace
CVE-2006-0457 Key syscalls use get length of strings before copying, and assu...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
4.0
All Linux
medium Severity high
: ---
: ---
Assigned To: David Howells
Brian Brock
reported=20060217,public=20060203,imp...
: Security
Depends On:
Blocks: 181409
  Show dependency treegraph
 
Reported: 2006-02-17 08:24 EST by David Howells
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version: RHSA-2006-0575
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-08-10 18:20:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Fix use of strnlen_user() in key syscalls and make the maximum string lengths correct (5.14 KB, patch)
2006-02-17 08:24 EST, David Howells
no flags Details | Diff

  None (edit)
Description David Howells 2006-02-17 08:24:44 EST
Description of problem:      
    
The add_key(), request_key() syscalls and certain keyctl() functions take   
string arguments from userspace. They determine the length of the string and   
then copy the string including its terminal NUL from userspace without   
checking the NUL is still there.   
   
Patch submitted upstream for this already.   
  
This patch also fixes the maximum string lengths for types (30 -> 31),  
descriptions (4094 -> 4095) and callout data (4094 -> 4095) fetched from  
userspace, given that strnlen_user() includes the NUL char in its count.  
  
Version-Release number of selected component (if applicable):      
      
      
How reproducible:      
  
The first part should be 100%, but it's very hard to reproduce as it requires  
two threads to interfere with each other during a very small window.  
  
The second part is 100%.  
  
Steps to Reproduce:  
  
Second part:  
1. keyctl add aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a a @p  
2. keyctl add aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a a @p  
3. PAGE_SIZE=`getconf PAGESIZE`  
4. k=`for ((i=0; i<$((PAGE_SIZE-1)); i++)); do echo -n a; done`  
5. keyctl newring $k @p  
6. keyctl newring a$k @p  
        
Results:      
      
Step 1 should fail with ENODEV and step 2 with EINVAL. Before the patch, both  
will fail with ENODEV anyway, no matter where the error is taken.  
  
Step 5 should work, and step 6 should fail with EINVAL. Note that if PAGE_SIZE  
is greater than the space quota size (IA64 for example), step 5 will fail with  
EDQUOT instead of working. Before the patch is applied, both will fail with  
EINVAL.  
  
Changing the $((PAGE_SIZE-1)) to a $((PAGE_SIZE-2)) in step 4 and repeating  
step 5 will result in step 5 either working or generating EDQUOT, depending on  
the arch.  
 
Additional information: 
 
CVE-2006-0457
Comment 1 David Howells 2006-02-17 08:24:45 EST
Created attachment 124815 [details]
Fix use of strnlen_user() in key syscalls and make the maximum string lengths correct
Comment 2 Jason Baron 2006-03-24 17:47:20 EST
committed in stream U4 build 34.8. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/
Comment 5 Mike Gahagan 2006-06-19 17:40:00 EDT
test results from an x86_64 system:

2.6.9-22:
[mgahagan@dhcp59-204 181879]$ keyctl add aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a a @p
add_key: No such device
[mgahagan@dhcp59-204 181879]$ keyctl add aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a a @p
add_key: No such device
[mgahagan@dhcp59-204 181879]$ export PAGE_SIZE=`getconf PAGESIZE`
[mgahagan@dhcp59-204 181879]$ export k=`for ((i=0; i<$((PAGE_SIZE-1)); i++)); do
echo -n a; done`
[mgahagan@dhcp59-204 181879]$ keyctl newring $k @p
add_key: Invalid argument
[mgahagan@dhcp59-204 181879]$ keyctl newring a$k @p
add_key: Invalid argument
[mgahagan@dhcp59-204 181879]$ export k=`for ((i=0; i<$((PAGE_SIZE-2)); i++)); do
echo -n a; done`
[mgahagan@dhcp59-204 181879]$ keyctl newring $k @p
28
[mgahagan@dhcp59-204 181879]$ keyctl newring a$k @p
add_key: Invalid argument
[mgahagan@dhcp59-204 181879]$ uname -a
Linux dhcp59-204.rdu.redhat.com 2.6.9-22.ELsmp #1 SMP Mon Sep 19 18:00:54 EDT
2005 x86_64 x86_64 x86_64 GNU/Linux

2.6.9-39.EL:
[mgahagan@dhcp59-204 181879]$ cat results-2.6.9-39.ELsmp
[mgahagan@dhcp59-204 181879]$ uname -a
Linux dhcp59-204.rdu.redhat.com 2.6.9-39.ELsmp #1 SMP Thu Jun 1 18:01:55 EDT
2006 x86_64 x86_64 x86_64 GNU/Linux
[mgahagan@dhcp59-204 181879]$ keyctl add aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a a @p
add_key: No such device
[mgahagan@dhcp59-204 181879]$ keyctl add aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a a @p
add_key: Invalid argument
[mgahagan@dhcp59-204 181879]$
[mgahagan@dhcp59-204 181879]$ getconf PAGESIZE
4096
[mgahagan@dhcp59-204 181879]$ export PAGE_SIZE=`getconf PAGESIZE`
[mgahagan@dhcp59-204 181879]$ export k=`for ((i=0; i<$((PAGE_SIZE-1)); i++)); do
echo -n a; done`
[mgahagan@dhcp59-204 181879]$ keyctl newring $k @p
42
[mgahagan@dhcp59-204 181879]$ keyctl newring a$k @p
add_key: Invalid argument
[mgahagan@dhcp59-204 181879]$ export k=`for ((i=0; i<$((PAGE_SIZE-2)); i++)); do
echo -n a; done`
[mgahagan@dhcp59-204 181879]$  keyctl newring $k @p
44
[mgahagan@dhcp59-204 181879]$ keyctl newring a$k @p
46
Comment 6 Mike Gahagan 2006-06-19 18:04:09 EDT
ppc results (after patch applied):

.qa.[root@ppcp-4as 181879]# keyctl add aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a a @p
add_key: No such device
.qa.[root@ppcp-4as 181879]# keyctl add aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a a @p
add_key: Invalid argument
.qa.[root@ppcp-4as 181879]# export PAGE_SIZE=`getconf PAGESIZE`
.qa.[root@ppcp-4as 181879]# export k=`for ((i=0; i<$((PAGE_SIZE-1)); i++)); do
> echo -n a; done`
.qa.[root@ppcp-4as 181879]# keyctl newring $k @p
85
.qa.[root@ppcp-4as 181879]# keyctl newring a$k @p
add_key: Invalid argument
.qa.[root@ppcp-4as 181879]# export k=`for ((i=0; i<$((PAGE_SIZE-2)); i++)); do
> echo -n a; done`
.qa.[root@ppcp-4as 181879]# keyctl newring $k @p
87
.qa.[root@ppcp-4as 181879]# keyctl newring a$k @p
89
.qa.[root@ppcp-4as 181879]# uname -a
Linux ppcp-4as.lab.boston.redhat.com 2.6.9-39.EL #1 SMP Thu Jun 1 17:52:36
EDT2006 ppc64 ppc64 ppc64 GNU/Linux


Comment 8 Red Hat Bugzilla 2006-08-10 18:20:29 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0575.html

Note You need to log in before you can comment on or make changes to this bug.