[artful/linux,bionic/linux,1/1] compat: fix 4-byte infoleak via uninitialized struct field

Message ID 20180608142907.11365-2-apw@canonical.com
State New
Headers show
Series
  • [artful/linux,bionic/linux,1/1] compat: fix 4-byte infoleak via uninitialized struct field
Related show

Commit Message

Andy Whitcroft June 8, 2018, 2:29 p.m.
From: Jann Horn <jannh@google.com>

Commit 3a4d44b61625 ("ntp: Move adjtimex related compat syscalls to
native counterparts") removed the memset() in compat_get_timex().  Since
then, the compat adjtimex syscall can invoke do_adjtimex() with an
uninitialized ->tai.

If do_adjtimex() doesn't write to ->tai (e.g.  because the arguments are
invalid), compat_put_timex() then copies the uninitialized ->tai field
to userspace.

Fix it by adding the memset() back.

Fixes: 3a4d44b61625 ("ntp: Move adjtimex related compat syscalls to native counterparts")
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

(cherry picked from commit 0a0b98734479aa5b3c671d5190e86273372cab95)
CVE-2018-11508
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 kernel/compat.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Thadeu Lima de Souza Cascardo June 8, 2018, 2:32 p.m. | #1
Acked-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Marcelo Henrique Cerri June 8, 2018, 2:40 p.m. | #2
Acked-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>

Patch

diff --git a/kernel/compat.c b/kernel/compat.c
index d1cee656a7ed..3ead2efff78e 100644
--- a/kernel/compat.c
+++ b/kernel/compat.c
@@ -34,6 +34,7 @@  int compat_get_timex(struct timex *txc, const struct compat_timex __user *utp)
 {
 	struct compat_timex tx32;
 
+	memset(txc, 0, sizeof(struct timex));
 	if (copy_from_user(&tx32, utp, sizeof(struct compat_timex)))
 		return -EFAULT;