Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 503905

Summary: kernel: TPM: get_event_name stack corruption [rhel-5.4]
Product: Red Hat Enterprise Linux 5 Reporter: Eugene Teo (Security Response) <eteo>
Component: kernelAssignee: Dean Nelson <dnelson>
Status: CLOSED ERRATA QA Contact: Red Hat Kernel QE team <kernel-qe>
Severity: high Docs Contact:
Priority: urgent    
Version: 5.4CC: dhoward, dnelson, dzickus, emcnabb, eparis, eteo, jmorris, jpirko, jplans, jskrabal, lwang
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 503902 Environment:
Last Closed: 2009-09-02 08:05:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 503902    
Bug Blocks: 506906    
Attachments:
Description Flags
[RHEL5.4 PATCH] TPM: get_event_name stack corruption none

Description Eugene Teo (Security Response) 2009-06-03 09:59:26 UTC 
+++ This bug was initially created as a clone of Bug #503902 +++

Description of problem:
get_event_name uses sprintf to fill a buffer declared on the stack.  It fills the buffer 2 bytes at a time.  What the code doesn't take into account is that sprintf(buf, "%02x", data) actually writes 3 bytes.  2 bytes for the data and then it nul terminates the string.  Since we declare buf to be 40 characters long and then we write 40 bytes of data into buf sprintf is going to write 41 characters.  The fix is to leave room in buf for the nul terminator.

Upstream commit:
http://git.kernel.org/linus/fbaa58696cef848de818768783ef185bd3f05158
Comment 3 Dean Nelson 2009-06-10 17:56:41 UTC 
Created attachment 347268 [details]
[RHEL5.4 PATCH] TPM: get_event_name stack corruption
Comment 4 RHEL Program Management 2009-06-10 18:11:34 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 5 Don Zickus 2009-06-18 14:51:45 UTC 
in kernel-2.6.18-154.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5

Please do NOT transition this bugzilla state to VERIFIED until our QE team
has sent specific instructions indicating when to do so.  However feel free
to provide a comment indicating that this fix has been verified.
Comment 10 errata-xmlrpc 2009-09-02 08:05:58 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2009-1243.html