Bug 181881 - CVE-2006-0456 s390/s390x strnlen_user() is broken
CVE-2006-0456 s390/s390x strnlen_user() is broken
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
4.0
s390 Linux
medium Severity high
: ---
: ---
Assigned To: Jan Glauber
Brian Brock
reported=20060217,source=redhat,impac...
: Security
Depends On:
Blocks: 181409
  Show dependency treegraph
 
Reported: 2006-02-17 08:40 EST by David Howells
Modified: 2007-11-30 17:07 EST (History)
3 users (show)

See Also:
Fixed In Version: RHSA-2006-0575
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-08-10 18:20:31 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Fix strnlen_user() on s390 and s390x (884 bytes, patch)
2006-02-17 08:40 EST, David Howells
no flags Details | Diff

  None (edit)
Description David Howells 2006-02-17 08:40:24 EST
Description of problem:  
  
strnlen_user() on s390 and s390x does not return a value greater than maxlen  
if the string is looking at is longer than maxlen; instead it returns maxlen.  
  
This means things that use it (such as add_key, request_key and keyctl) may  
assume that strnlen_user() actually worked, and the string included a NUL  
character, which they then copy (a poor assumption fixed in bug 181879 for the  
key management code).  
  
Version-Release number of selected component (if applicable):  
  
  
How reproducible:  
 
100% 
  
Steps to Reproduce:  
1. PAGE_SIZE=`getconf PAGESIZE` 
2. k=`for ((i=0; i<$((PAGE_SIZE+10)); i++)); do echo -n a; done` 
3. keyctl newring $k @s 
4. cat /proc/keys 
    
Actual results:  
  
Step 3 should fail with EINVAL, but doesn't. 
 
Step 4 shows a key with a description of 4096 'a' characters, and it may have 
some random rubbish on the end or may crash because the string is 
unterminated. 
  
Expected results:  
  
Step 3 should give EINVAL. 
 
Additional info: 
 
This affects both s390 and s390x architectures. 
 
Since it's an arch problem, it may affect other things besides the key 
management syscalls too. 
 
strncpy_from_user() looks like it may also be affected.
Comment 1 David Howells 2006-02-17 08:40:25 EST
Created attachment 124816 [details]
Fix strnlen_user() on s390 and s390x
Comment 2 David Howells 2006-02-17 08:41:19 EST
CVE-2006-0456 
Comment 3 Jason Baron 2006-03-22 10:07:46 EST
committed in stream U4 build 34.6. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/
Comment 7 Red Hat Bugzilla 2006-08-10 18:20:32 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0575.html

Note You need to log in before you can comment on or make changes to this bug.