Bug 863171 - CVE-2012-4467 kernel: compat: SIOCGSTAMP/SIOCGSTAMPNS incorrect order of arguments to compat_put_time[val|spec] [fedora-all]
Summary: CVE-2012-4467 kernel: compat: SIOCGSTAMP/SIOCGSTAMPNS incorrect order of argu...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 18
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Kernel Maintainer List
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-10-04 15:17 UTC by Petr Matousek
Modified: 2012-10-04 15:23 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-10-04 15:23:23 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Petr Matousek 2012-10-04 15:17:50 UTC
Description of the problem:

Commit 644595f89620 ("compat: Handle COMPAT_USE_64BIT_TIME in
net/socket.c") introduced a bug where the helper functions to take
either a 64-bit or compat time[spec|val] got the arguments in the wrong
order, passing the kernel stack pointer off as a user pointer (and vice
versa).

On architectures that use separate address spaces for userspace and
kernel (for example PA-RISC), an unprivileged local user can crash the
system or read kernel memory.

Introduced in:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=644595f89620

Upstream fix:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commit;h=ed6fe9d614f

Acknowledgements:

This issue was discovered by Mikulas Patocka of Red Hat.

Comment 1 Josh Boyer 2012-10-04 15:23:23 UTC
Fixed in 3.6-rc5.  F18 and rawhide are on 3.6 final now so already fixed.

Backported to the 3.5.4 stable kernel with commit d6534b3afbbb228c0eed4fa4a6d00a3490a5da52.  Already fixed in F17.

Backported to the 3.4.11 kernel with commit 43da476d7f734a1b55680668246d0237dde4ea57.  Already fixed in F16.


Note You need to log in before you can comment on or make changes to this bug.