Description of problem: strnlen_user() on s390 and s390x does not return a value greater than maxlen if the string is looking at is longer than maxlen; instead it returns maxlen. This means things that use it (such as add_key, request_key and keyctl) may assume that strnlen_user() actually worked, and the string included a NUL character, which they then copy (a poor assumption fixed in bug 181879 for the key management code). Version-Release number of selected component (if applicable): How reproducible: 100% Steps to Reproduce: 1. PAGE_SIZE=`getconf PAGESIZE` 2. k=`for ((i=0; i<$((PAGE_SIZE+10)); i++)); do echo -n a; done` 3. keyctl newring $k @s 4. cat /proc/keys Actual results: Step 3 should fail with EINVAL, but doesn't. Step 4 shows a key with a description of 4096 'a' characters, and it may have some random rubbish on the end or may crash because the string is unterminated. Expected results: Step 3 should give EINVAL. Additional info: This affects both s390 and s390x architectures. Since it's an arch problem, it may affect other things besides the key management syscalls too. strncpy_from_user() looks like it may also be affected.
Created attachment 124816 [details] Fix strnlen_user() on s390 and s390x
CVE-2006-0456
committed in stream U4 build 34.6. A test kernel with this patch is available from http://people.redhat.com/~jbaron/rhel4/
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2006-0575.html