[CVE A/B] CVE-2018-11508 -- compat_get_timex information leak

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[CVE A/B] CVE-2018-11508 -- compat_get_timex information leak

Andy Whitcroft-3
CVE-2018-11508:
        The compat_get_timex function in kernel/compat.c in the
        Linux kernel before 4.16.9 allows local users to obtain
        sensitive information from kernel memory via adjtimex.

Following this email is a patch for bionic/linux and artful/linux.  This
is a clean cherry-pick in both series.  Earlier series are unaffected by
this issue.

Proposing for SRU to artful and bionic.

-apw

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[artful/linux bionic/linux 1/1] compat: fix 4-byte infoleak via uninitialized struct field

Andy Whitcroft-3
From: Jann Horn <[hidden email]>

Commit 3a4d44b61625 ("ntp: Move adjtimex related compat syscalls to
native counterparts") removed the memset() in compat_get_timex().  Since
then, the compat adjtimex syscall can invoke do_adjtimex() with an
uninitialized ->tai.

If do_adjtimex() doesn't write to ->tai (e.g.  because the arguments are
invalid), compat_put_timex() then copies the uninitialized ->tai field
to userspace.

Fix it by adding the memset() back.

Fixes: 3a4d44b61625 ("ntp: Move adjtimex related compat syscalls to native counterparts")
Signed-off-by: Jann Horn <[hidden email]>
Acked-by: Kees Cook <[hidden email]>
Acked-by: Al Viro <[hidden email]>
Signed-off-by: Linus Torvalds <[hidden email]>

(cherry picked from commit 0a0b98734479aa5b3c671d5190e86273372cab95)
CVE-2018-11508
Signed-off-by: Andy Whitcroft <[hidden email]>
---
 kernel/compat.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/kernel/compat.c b/kernel/compat.c
index d1cee656a7ed..3ead2efff78e 100644
--- a/kernel/compat.c
+++ b/kernel/compat.c
@@ -34,6 +34,7 @@ int compat_get_timex(struct timex *txc, const struct compat_timex __user *utp)
 {
  struct compat_timex tx32;
 
+ memset(txc, 0, sizeof(struct timex));
  if (copy_from_user(&tx32, utp, sizeof(struct compat_timex)))
  return -EFAULT;
 
--
2.17.0


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [artful/linux bionic/linux 1/1] compat: fix 4-byte infoleak via uninitialized struct field

Thadeu Lima de Souza Cascardo-3
Acked-by: Thadeu Lima de Souza Cascardo <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [artful/linux bionic/linux 1/1] compat: fix 4-byte infoleak via uninitialized struct field

Marcelo Henrique Cerri
In reply to this post by Andy Whitcroft-3
Acked-by: Marcelo Henrique Cerri <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [CVE A/B] CVE-2018-11508 -- compat_get_timex information leak

Khaled Elmously
In reply to this post by Andy Whitcroft-3
Applied to A and B

On 2018-06-08 15:29:06 , Andy Whitcroft wrote:

> CVE-2018-11508:
> The compat_get_timex function in kernel/compat.c in the
> Linux kernel before 4.16.9 allows local users to obtain
> sensitive information from kernel memory via adjtimex.
>
> Following this email is a patch for bionic/linux and artful/linux.  This
> is a clean cherry-pick in both series.  Earlier series are unaffected by
> this issue.
>
> Proposing for SRU to artful and bionic.
>
> -apw
>
> --
> kernel-team mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED: [CVE A/B] CVE-2018-11508 -- compat_get_timex information leak

Khaled Elmously
In reply to this post by Andy Whitcroft-3
Marking subject as applied

On 2018-06-08 15:29:06 , Andy Whitcroft wrote:

> CVE-2018-11508:
> The compat_get_timex function in kernel/compat.c in the
> Linux kernel before 4.16.9 allows local users to obtain
> sensitive information from kernel memory via adjtimex.
>
> Following this email is a patch for bionic/linux and artful/linux.  This
> is a clean cherry-pick in both series.  Earlier series are unaffected by
> this issue.
>
> Proposing for SRU to artful and bionic.
>
> -apw
>
> --
> kernel-team mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team