This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 515392 - (CVE-2009-2847) CVE-2009-2847 kernel: information leak in sigaltstack
CVE-2009-2847 kernel: information leak in sigaltstack
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,source=lkml,reported=...
: Security
Depends On: 515393 515394 515395 515396 515397
Blocks:
  Show dependency treegraph
 
Reported: 2009-08-03 23:13 EDT by Eugene Teo (Security Response)
Modified: 2012-03-28 04:47 EDT (History)
15 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-03-28 04:47:39 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Eugene Teo (Security Response) 2009-08-03 23:13:24 EDT
Description of problem:
do_sigaltstack: avoid copying 'stack_t' as a structure to user space
    
Ulrich Drepper correctly points out that there is generally padding in the structure on 64-bit hosts, and that copying the structure from kernel to user space can leak information from the kernel stack in those padding bytes.
    
Avoid the whole issue by just copying the three members one by one instead, which also means that the function also can avoid the need for a stack frame.  This also happens to match how we copy the new structure from user space, so it all even makes sense.

Upstream commit:
http://git.kernel.org/linus/0083fc2c50e6c5127c2802ad323adf8143ab7856
Comment 2 Eugene Teo (Security Response) 2009-08-04 22:05:18 EDT
Reproducer:
http://milw0rm.com/exploits/9352
Comment 3 Jan Lieskovsky 2009-08-19 06:06:37 EDT
MITRE's CVE-2009-2847 entry:
----------------------------

The do_sigaltstack function in kernel/signal.c in Linux kernel 2.6
before 2.6.31-rc5, when running on 64-bit systems, does not clear
certain padding bytes from a structure, which allows local users to
obtain sensitive information from the kernel stack via the sigaltstack
function.

References:
-----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2847
http://www.milw0rm.com/exploits/9352
http://www.openwall.com/lists/oss-security/2009/08/04/1
http://www.openwall.com/lists/oss-security/2009/08/05/1
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=0083fc2c50e6c5127c2802ad323adf8143ab7856
Comment 4 Fedora Update System 2009-08-26 01:12:18 EDT
kernel-2.6.29.6-217.2.16.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/kernel-2.6.29.6-217.2.16.fc11
Comment 5 Fedora Update System 2009-08-26 22:19:06 EDT
kernel-2.6.29.6-217.2.16.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 errata-xmlrpc 2009-09-01 03:38:48 EDT
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2009:1239 https://rhn.redhat.com/errata/RHSA-2009-1239.html
Comment 7 errata-xmlrpc 2009-09-01 05:29:06 EDT
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2009:1239 https://rhn.redhat.com/errata/RHSA-2009-1239.html
Comment 8 errata-xmlrpc 2009-09-02 04:01:28 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1243 https://rhn.redhat.com/errata/RHSA-2009-1243.html
Comment 9 errata-xmlrpc 2009-09-02 05:06:37 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1243 https://rhn.redhat.com/errata/RHSA-2009-1243.html
Comment 10 errata-xmlrpc 2009-09-02 08:07:50 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1243 https://rhn.redhat.com/errata/RHSA-2009-1243.html
Comment 11 errata-xmlrpc 2009-09-15 04:30:42 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:1438 https://rhn.redhat.com/errata/RHSA-2009-1438.html
Comment 12 errata-xmlrpc 2009-09-29 12:10:19 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.3.Z - Server Only

Via RHSA-2009:1466 https://rhn.redhat.com/errata/RHSA-2009-1466.html
Comment 13 Fedora Update System 2009-10-02 07:00:04 EDT
kernel-2.6.27.35-170.2.94.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/kernel-2.6.27.35-170.2.94.fc10
Comment 14 Fedora Update System 2009-10-03 14:55:41 EDT
kernel-2.6.27.35-170.2.94.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.