Bug 503902 - kernel: TPM: get_event_name stack corruption [mrg-1]
Summary: kernel: TPM: get_event_name stack corruption [mrg-1]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: realtime-kernel
Version: Development
Hardware: All
OS: Linux
high
high
Target Milestone: 1.1.5
: ---
Assignee: Red Hat Real Time Maintenance
QA Contact: David Sommerseth
URL:
Whiteboard:
Depends On:
Blocks: 503905 504081
TreeView+ depends on / blocked
 
Reported: 2009-06-03 09:50 UTC by Eugene Teo (Security Response)
Modified: 2016-05-22 23:28 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 503905 504081 (view as bug list)
Environment:
Last Closed: 2009-07-14 19:11:41 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1157 0 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2009-07-14 19:11:05 UTC

Description Eugene Teo (Security Response) 2009-06-03 09:50:46 UTC 
Description of problem:
get_event_name uses sprintf to fill a buffer declared on the stack.  It fills the buffer 2 bytes at a time.  What the code doesn't take into account is that sprintf(buf, "%02x", data) actually writes 3 bytes.  2 bytes for the data and then it nul terminates the string.  Since we declare buf to be 40 characters long and then we write 40 bytes of data into buf sprintf is going to write 41 characters.  The fix is to leave room in buf for the nul terminator.

Upstream commit:
http://git.kernel.org/linus/fbaa58696cef848de818768783ef185bd3f05158
Comment 2 John Kacur 2009-07-01 19:13:19 UTC 
Applied to MRG 1.1
Comment 4 David Sommerseth 2009-07-10 15:04:13 UTC 
Verified by code review against the 2.6.24.7-126 source tree.  Found upstream commit fbaa58696cef848de818768783ef185bd3f05158 as mrg-rt.git commit 90bbc7f6612e50ae31a0f8b01f34ac66adda2857 (CVS: bz503902_get_event_name_stack_corruption.patch).
Comment 6 errata-xmlrpc 2009-07-14 19:11:41 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2009-1157.html
Note You need to log in before you can comment on or make changes to this bug.