Bug 181879 - CVE-2006-0457 Key syscalls use get length of strings before copying, and assume terminating NUL copied from userspace
Summary: CVE-2006-0457 Key syscalls use get length of strings before copying, and assu...
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
(Show other bugs)
Version: 4.0
Hardware: All Linux
medium
high
Target Milestone: ---
: ---
Assignee: David Howells
QA Contact: Brian Brock
URL:
Whiteboard: reported=20060217,public=20060203,imp...
Keywords: Security
Depends On:
Blocks: 181409
TreeView+ depends on / blocked
 
Reported: 2006-02-17 13:24 UTC by David Howells
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version: RHSA-2006-0575
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-08-10 22:20:29 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Fix use of strnlen_user() in key syscalls and make the maximum string lengths correct (5.14 KB, patch)
2006-02-17 13:24 UTC, David Howells
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2006:0575 normal SHIPPED_LIVE Important: Updated kernel packages available for Red Hat Enterprise Linux 4 Update 4 2006-08-10 04:00:00 UTC

Description David Howells 2006-02-17 13:24:44 UTC
Description of problem:      
    
The add_key(), request_key() syscalls and certain keyctl() functions take   
string arguments from userspace. They determine the length of the string and   
then copy the string including its terminal NUL from userspace without   
checking the NUL is still there.   
   
Patch submitted upstream for this already.   
  
This patch also fixes the maximum string lengths for types (30 -> 31),  
descriptions (4094 -> 4095) and callout data (4094 -> 4095) fetched from  
userspace, given that strnlen_user() includes the NUL char in its count.  
  
Version-Release number of selected component (if applicable):      
      
      
How reproducible:      
  
The first part should be 100%, but it's very hard to reproduce as it requires  
two threads to interfere with each other during a very small window.  
  
The second part is 100%.  
  
Steps to Reproduce:  
  
Second part:  
1. keyctl add aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a a @p  
2. keyctl add aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a a @p  
3. PAGE_SIZE=`getconf PAGESIZE`  
4. k=`for ((i=0; i<$((PAGE_SIZE-1)); i++)); do echo -n a; done`  
5. keyctl newring $k @p  
6. keyctl newring a$k @p  
        
Results:      
      
Step 1 should fail with ENODEV and step 2 with EINVAL. Before the patch, both  
will fail with ENODEV anyway, no matter where the error is taken.  
  
Step 5 should work, and step 6 should fail with EINVAL. Note that if PAGE_SIZE  
is greater than the space quota size (IA64 for example), step 5 will fail with  
EDQUOT instead of working. Before the patch is applied, both will fail with  
EINVAL.  
  
Changing the $((PAGE_SIZE-1)) to a $((PAGE_SIZE-2)) in step 4 and repeating  
step 5 will result in step 5 either working or generating EDQUOT, depending on  
the arch.  
 
Additional information: 
 
CVE-2006-0457

Comment 1 David Howells 2006-02-17 13:24:45 UTC
Created attachment 124815 [details]
Fix use of strnlen_user() in key syscalls and make the maximum string lengths correct

Comment 2 Jason Baron 2006-03-24 22:47:20 UTC
committed in stream U4 build 34.8. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/


Comment 5 Mike Gahagan 2006-06-19 21:40:00 UTC
test results from an x86_64 system:

2.6.9-22:
[mgahagan@dhcp59-204 181879]$ keyctl add aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a a @p
add_key: No such device
[mgahagan@dhcp59-204 181879]$ keyctl add aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a a @p
add_key: No such device
[mgahagan@dhcp59-204 181879]$ export PAGE_SIZE=`getconf PAGESIZE`
[mgahagan@dhcp59-204 181879]$ export k=`for ((i=0; i<$((PAGE_SIZE-1)); i++)); do
echo -n a; done`
[mgahagan@dhcp59-204 181879]$ keyctl newring $k @p
add_key: Invalid argument
[mgahagan@dhcp59-204 181879]$ keyctl newring a$k @p
add_key: Invalid argument
[mgahagan@dhcp59-204 181879]$ export k=`for ((i=0; i<$((PAGE_SIZE-2)); i++)); do
echo -n a; done`
[mgahagan@dhcp59-204 181879]$ keyctl newring $k @p
28
[mgahagan@dhcp59-204 181879]$ keyctl newring a$k @p
add_key: Invalid argument
[mgahagan@dhcp59-204 181879]$ uname -a
Linux dhcp59-204.rdu.redhat.com 2.6.9-22.ELsmp #1 SMP Mon Sep 19 18:00:54 EDT
2005 x86_64 x86_64 x86_64 GNU/Linux

2.6.9-39.EL:
[mgahagan@dhcp59-204 181879]$ cat results-2.6.9-39.ELsmp
[mgahagan@dhcp59-204 181879]$ uname -a
Linux dhcp59-204.rdu.redhat.com 2.6.9-39.ELsmp #1 SMP Thu Jun 1 18:01:55 EDT
2006 x86_64 x86_64 x86_64 GNU/Linux
[mgahagan@dhcp59-204 181879]$ keyctl add aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a a @p
add_key: No such device
[mgahagan@dhcp59-204 181879]$ keyctl add aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a a @p
add_key: Invalid argument
[mgahagan@dhcp59-204 181879]$
[mgahagan@dhcp59-204 181879]$ getconf PAGESIZE
4096
[mgahagan@dhcp59-204 181879]$ export PAGE_SIZE=`getconf PAGESIZE`
[mgahagan@dhcp59-204 181879]$ export k=`for ((i=0; i<$((PAGE_SIZE-1)); i++)); do
echo -n a; done`
[mgahagan@dhcp59-204 181879]$ keyctl newring $k @p
42
[mgahagan@dhcp59-204 181879]$ keyctl newring a$k @p
add_key: Invalid argument
[mgahagan@dhcp59-204 181879]$ export k=`for ((i=0; i<$((PAGE_SIZE-2)); i++)); do
echo -n a; done`
[mgahagan@dhcp59-204 181879]$  keyctl newring $k @p
44
[mgahagan@dhcp59-204 181879]$ keyctl newring a$k @p
46


Comment 6 Mike Gahagan 2006-06-19 22:04:09 UTC
ppc results (after patch applied):

.qa.[root@ppcp-4as 181879]# keyctl add aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a a @p
add_key: No such device
.qa.[root@ppcp-4as 181879]# keyctl add aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a a @p
add_key: Invalid argument
.qa.[root@ppcp-4as 181879]# export PAGE_SIZE=`getconf PAGESIZE`
.qa.[root@ppcp-4as 181879]# export k=`for ((i=0; i<$((PAGE_SIZE-1)); i++)); do
> echo -n a; done`
.qa.[root@ppcp-4as 181879]# keyctl newring $k @p
85
.qa.[root@ppcp-4as 181879]# keyctl newring a$k @p
add_key: Invalid argument
.qa.[root@ppcp-4as 181879]# export k=`for ((i=0; i<$((PAGE_SIZE-2)); i++)); do
> echo -n a; done`
.qa.[root@ppcp-4as 181879]# keyctl newring $k @p
87
.qa.[root@ppcp-4as 181879]# keyctl newring a$k @p
89
.qa.[root@ppcp-4as 181879]# uname -a
Linux ppcp-4as.lab.boston.redhat.com 2.6.9-39.EL #1 SMP Thu Jun 1 17:52:36
EDT2006 ppc64 ppc64 ppc64 GNU/Linux




Comment 8 Red Hat Bugzilla 2006-08-10 22:20:29 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0575.html



Note You need to log in before you can comment on or make changes to this bug.