Bug 181881 - CVE-2006-0456 s390/s390x strnlen_user() is broken
Summary: CVE-2006-0456 s390/s390x strnlen_user() is broken
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel   
(Show other bugs)
Version: 4.0
Hardware: s390 Linux
medium
high
Target Milestone: ---
: ---
Assignee: Jan Glauber
QA Contact: Brian Brock
URL:
Whiteboard: reported=20060217,source=redhat,impac...
Keywords: Security
Depends On:
Blocks: 181409
TreeView+ depends on / blocked
 
Reported: 2006-02-17 13:40 UTC by David Howells
Modified: 2007-11-30 22:07 UTC (History)
3 users (show)

Fixed In Version: RHSA-2006-0575
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-08-10 22:20:31 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Fix strnlen_user() on s390 and s390x (884 bytes, patch)
2006-02-17 13:40 UTC, David Howells
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2006:0575 normal SHIPPED_LIVE Important: Updated kernel packages available for Red Hat Enterprise Linux 4 Update 4 2006-08-10 04:00:00 UTC

Description David Howells 2006-02-17 13:40:24 UTC
Description of problem:  
  
strnlen_user() on s390 and s390x does not return a value greater than maxlen  
if the string is looking at is longer than maxlen; instead it returns maxlen.  
  
This means things that use it (such as add_key, request_key and keyctl) may  
assume that strnlen_user() actually worked, and the string included a NUL  
character, which they then copy (a poor assumption fixed in bug 181879 for the  
key management code).  
  
Version-Release number of selected component (if applicable):  
  
  
How reproducible:  
 
100% 
  
Steps to Reproduce:  
1. PAGE_SIZE=`getconf PAGESIZE` 
2. k=`for ((i=0; i<$((PAGE_SIZE+10)); i++)); do echo -n a; done` 
3. keyctl newring $k @s 
4. cat /proc/keys 
    
Actual results:  
  
Step 3 should fail with EINVAL, but doesn't. 
 
Step 4 shows a key with a description of 4096 'a' characters, and it may have 
some random rubbish on the end or may crash because the string is 
unterminated. 
  
Expected results:  
  
Step 3 should give EINVAL. 
 
Additional info: 
 
This affects both s390 and s390x architectures. 
 
Since it's an arch problem, it may affect other things besides the key 
management syscalls too. 
 
strncpy_from_user() looks like it may also be affected.

Comment 1 David Howells 2006-02-17 13:40:25 UTC
Created attachment 124816 [details]
Fix strnlen_user() on s390 and s390x

Comment 2 David Howells 2006-02-17 13:41:19 UTC
CVE-2006-0456 

Comment 3 Jason Baron 2006-03-22 15:07:46 UTC
committed in stream U4 build 34.6. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/

Comment 7 Red Hat Bugzilla 2006-08-10 22:20:32 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0575.html



Note You need to log in before you can comment on or make changes to this bug.