lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 24 Oct 2012 14:53:33 -0700
From:	Kees Cook <keescook@...omium.org>
To:	Andrew Morton <akpm@...ux-foundation.org>
Cc:	linux-kernel@...r.kernel.org, Michal Marek <mmarek@...e.cz>,
	Brad Spengler <spender@...ecurity.net>,
	PaX Team <pageexec@...email.hu>
Subject: Re: [RESEND][PATCH] gen_init_cpio: avoid stack overflow when expanding

On Wed, Oct 24, 2012 at 2:44 PM, Andrew Morton
<akpm@...ux-foundation.org> wrote:
> On Wed, 24 Oct 2012 14:33:02 -0700
> Kees Cook <keescook@...omium.org> wrote:
>
>> On Wed, Oct 24, 2012 at 2:02 PM, Andrew Morton
>> <akpm@...ux-foundation.org> wrote:
>> > On Wed, 24 Oct 2012 13:57:56 -0700
>> > Kees Cook <keescook@...omium.org> wrote:
>> >
>> >> Fix possible overflow of the buffer used for expanding environment
>> >> variables when building file list.
>> >>
>> >> $ cat usr/crash.list
>> >> file foo ${BIG}${BIG}${BIG}${BIG}${BIG}${BIG} 0755 0 0
>> >> $ BIG=$(perl -e 'print "A" x 4096;') ./usr/gen_init_cpio usr/crash.list
>> >> *** buffer overflow detected ***: ./usr/gen_init_cpio terminated
>> >>
>> >> This also replaces the space-indenting with tabs.
>> >>
>> >> Patch based on existing fix extracted from grsecurity.
>> >>
>> >> ...
>> >>
>> >> Cc: stable@...r.kernel.org
>> >
>> > Why did you feel we need to backport this to -stable?
>>
>> It's an extremely hard to hit security issue, but it's a security fix
>> regardless. I won't cry if it doesn't go to stable, but it seems a
>> trivial fix, so I included it for stable.
>
> Well, I do think that a description of the user impact of the bug
> should be included in the changelog so that poor old Greg can work out
> why we sent it at him.
>
> If you can suggest some suitable text I can copy-n-slurp that into the
> changelog.

How about replacing the first paragraph with:

Fix possible overflow of the buffer used for expanding environment
variables when building file list. In the extremely unlikely case of
an attacker having control over the environment variables visible to
gen_init_cpio, control over the contents of the file gen_init_cpio
parses, and gen_init_cpio was built without compiler hardening, the
attacker can gain arbitrary execution control via a stack buffer
overflow.


-Kees

-- 
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ