[PATCH][SRU][PRECISE] KEYS: ensure xbuf is large enough to fix buffer overflow in proc_keys_show (LP: #1634496)

Marcelo Cerri marcelo.cerri at canonical.com
Tue Oct 18 19:35:15 UTC 2016


-- 
Regards,
Marcelo

On Tue, Oct 18, 2016 at 02:47:06PM +0100, Colin King wrote:
> From: Colin Ian King <colin.king at canonical.com>
> 
> BugLink: http://bugs.launchpad.net/bugs/1634496
> 
> CVE-2016-7042
> 
> When stack protect is enabled xbuf is too small for timeout data causing a
> buffer overflow and a stack protector corruption report.
> 
> OriginalAuthor: Vladis Dronov <vdronov at redhat.com>
> OriginalLocation: https://bugzilla.redhat.com/attachment.cgi?id=1200212&action=diff
> 
> Signed-off-by: Colin Ian King <colin.king at canonical.com>
> ---
>  security/keys/proc.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/security/keys/proc.c b/security/keys/proc.c
> index 49bbc97..3f7b410 100644
> --- a/security/keys/proc.c
> +++ b/security/keys/proc.c
> @@ -188,7 +188,7 @@ static int proc_keys_show(struct seq_file *m, void *v)
>  	struct timespec now;
>  	unsigned long timo;
>  	key_ref_t key_ref, skey_ref;
> -	char xbuf[12];
> +	char xbuf[16];

Isn't safe to use the maximum value possible? 20 for the unsigned long
max, +1 for the unit character and +1 for \0.

>  	int rc;
>  
>  	key_ref = make_key_ref(key, 0);
> -- 
> 2.9.3
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20161018/d3a28e75/attachment.sig>


More information about the kernel-team mailing list