Bug 863171 - CVE-2012-4467 kernel: compat: SIOCGSTAMP/SIOCGSTAMPNS incorrect order of arguments to compat_put_time[val|spec] [fedora-all]
CVE-2012-4467 kernel: compat: SIOCGSTAMP/SIOCGSTAMPNS incorrect order of argu...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
18
All Linux
medium Severity medium
: ---
: ---
Assigned To: Kernel Maintainer List
Fedora Extras Quality Assurance
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-04 11:17 EDT by Petr Matousek
Modified: 2012-10-04 11:23 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-10-04 11:23:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Petr Matousek 2012-10-04 11:17:50 EDT
Description of the problem:

Commit 644595f89620 ("compat: Handle COMPAT_USE_64BIT_TIME in
net/socket.c") introduced a bug where the helper functions to take
either a 64-bit or compat time[spec|val] got the arguments in the wrong
order, passing the kernel stack pointer off as a user pointer (and vice
versa).

On architectures that use separate address spaces for userspace and
kernel (for example PA-RISC), an unprivileged local user can crash the
system or read kernel memory.

Introduced in:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=644595f89620

Upstream fix:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commit;h=ed6fe9d614f

Acknowledgements:

This issue was discovered by Mikulas Patocka of Red Hat.
Comment 1 Josh Boyer 2012-10-04 11:23:23 EDT
Fixed in 3.6-rc5.  F18 and rawhide are on 3.6 final now so already fixed.

Backported to the 3.5.4 stable kernel with commit d6534b3afbbb228c0eed4fa4a6d00a3490a5da52.  Already fixed in F17.

Backported to the 3.4.11 kernel with commit 43da476d7f734a1b55680668246d0237dde4ea57.  Already fixed in F16.

Note You need to log in before you can comment on or make changes to this bug.