Red Hat Bugzilla – Bug 181881
CVE-2006-0456 s390/s390x strnlen_user() is broken
Last modified: 2007-11-30 17:07:23 EST
Description of problem:
strnlen_user() on s390 and s390x does not return a value greater than maxlen
if the string is looking at is longer than maxlen; instead it returns maxlen.
This means things that use it (such as add_key, request_key and keyctl) may
assume that strnlen_user() actually worked, and the string included a NUL
character, which they then copy (a poor assumption fixed in bug 181879 for the
key management code).
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. PAGE_SIZE=`getconf PAGESIZE`
2. k=`for ((i=0; i<$((PAGE_SIZE+10)); i++)); do echo -n a; done`
3. keyctl newring $k @s
4. cat /proc/keys
Step 3 should fail with EINVAL, but doesn't.
Step 4 shows a key with a description of 4096 'a' characters, and it may have
some random rubbish on the end or may crash because the string is
Step 3 should give EINVAL.
This affects both s390 and s390x architectures.
Since it's an arch problem, it may affect other things besides the key
management syscalls too.
strncpy_from_user() looks like it may also be affected.
Created attachment 124816 [details]
Fix strnlen_user() on s390 and s390x
committed in stream U4 build 34.6. A test kernel with this patch is available
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.