Bug 515392 (CVE-2009-2847) - CVE-2009-2847 kernel: information leak in sigaltstack
Summary: CVE-2009-2847 kernel: information leak in sigaltstack
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-2847
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 515393 515394 515395 515396 515397
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-08-04 03:13 UTC by Eugene Teo (Security Response)
Modified: 2021-11-12 19:59 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-03-28 08:47:39 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1239 0 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2009-09-01 07:38:14 UTC
Red Hat Product Errata RHSA-2009:1243 0 normal SHIPPED_LIVE Important: Red Hat Enterprise Linux 5.4 kernel security and bug fix update 2009-09-01 08:53:34 UTC
Red Hat Product Errata RHSA-2009:1438 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2009-09-15 08:30:27 UTC
Red Hat Product Errata RHSA-2009:1466 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2009-09-29 16:10:13 UTC

Description Eugene Teo (Security Response) 2009-08-04 03:13:24 UTC 
Description of problem:
do_sigaltstack: avoid copying 'stack_t' as a structure to user space
    
Ulrich Drepper correctly points out that there is generally padding in the structure on 64-bit hosts, and that copying the structure from kernel to user space can leak information from the kernel stack in those padding bytes.
    
Avoid the whole issue by just copying the three members one by one instead, which also means that the function also can avoid the need for a stack frame.  This also happens to match how we copy the new structure from user space, so it all even makes sense.

Upstream commit:
http://git.kernel.org/linus/0083fc2c50e6c5127c2802ad323adf8143ab7856
Comment 2 Eugene Teo (Security Response) 2009-08-05 02:05:18 UTC 
Reproducer:
http://milw0rm.com/exploits/9352
Comment 3 Jan Lieskovsky 2009-08-19 10:06:37 UTC 
MITRE's CVE-2009-2847 entry:
----------------------------

The do_sigaltstack function in kernel/signal.c in Linux kernel 2.6
before 2.6.31-rc5, when running on 64-bit systems, does not clear
certain padding bytes from a structure, which allows local users to
obtain sensitive information from the kernel stack via the sigaltstack
function.

References:
-----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2847
http://www.milw0rm.com/exploits/9352
http://www.openwall.com/lists/oss-security/2009/08/04/1
http://www.openwall.com/lists/oss-security/2009/08/05/1
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=0083fc2c50e6c5127c2802ad323adf8143ab7856
Comment 4 Fedora Update System 2009-08-26 05:12:18 UTC 
kernel-2.6.29.6-217.2.16.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/kernel-2.6.29.6-217.2.16.fc11
Comment 5 Fedora Update System 2009-08-27 02:19:06 UTC 
kernel-2.6.29.6-217.2.16.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 errata-xmlrpc 2009-09-01 07:38:48 UTC 
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2009:1239 https://rhn.redhat.com/errata/RHSA-2009-1239.html
Comment 7 errata-xmlrpc 2009-09-01 09:29:06 UTC 
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2009:1239 https://rhn.redhat.com/errata/RHSA-2009-1239.html
Comment 8 errata-xmlrpc 2009-09-02 08:01:28 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1243 https://rhn.redhat.com/errata/RHSA-2009-1243.html
Comment 9 errata-xmlrpc 2009-09-02 09:06:37 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1243 https://rhn.redhat.com/errata/RHSA-2009-1243.html
Comment 10 errata-xmlrpc 2009-09-02 12:07:50 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1243 https://rhn.redhat.com/errata/RHSA-2009-1243.html
Comment 11 errata-xmlrpc 2009-09-15 08:30:42 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:1438 https://rhn.redhat.com/errata/RHSA-2009-1438.html
Comment 12 errata-xmlrpc 2009-09-29 16:10:19 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.3.Z - Server Only

Via RHSA-2009:1466 https://rhn.redhat.com/errata/RHSA-2009-1466.html
Comment 13 Fedora Update System 2009-10-02 11:00:04 UTC 
kernel-2.6.27.35-170.2.94.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/kernel-2.6.27.35-170.2.94.fc10
Comment 14 Fedora Update System 2009-10-03 18:55:41 UTC 
kernel-2.6.27.35-170.2.94.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.