[PATCH 0/1] CVE-2010-4083

[Brad Figg]

Following this email will be 1 patch associated with this CVE. The patch
applies cleanly to Dapper, Hardy, Karmic and Maverick. Lucid and Natty
already have received this fix.

    CVE-2010-4083
    
    BugLink: http://bugs.launchpad.net/bugs/712749
    
    The semctl syscall has several code paths that lead to the leakage of
    uninitialized kernel stack memory (namely the IPC_INFO, SEM_INFO,
    IPC_STAT, and SEM_STAT commands) during the use of the older, obsolete
    version of the semid_ds struct.
    
    The copy_semid_to_user() function declares a semid_ds struct on the stack
    and copies it back to the user without initializing or zeroing the
    "sem_base", "sem_pending", "sem_pending_last", and "undo" pointers,
    allowing the leakage of 16 bytes of kernel stack memory.
    
    The code is still reachable on 32-bit systems - when calling semctl()
    newer glibc's automatically OR the IPC command with the IPC_64 flag, but
    invoking the syscall directly allows users to use the older versions of
    the struct.

Dan Rosenberg (1):
  sys_semctl: fix kernel stack leakage, CVE-2010-4083

 ipc/sem.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)