oss-sec mailing list archives

CVE Request -- kernel: compat: SIOCGSTAMP/SIOCGSTAMPNS incorrect order of arguments to compat_put_time[val|spec]

From: Petr Matousek <pmatouse () redhat com>
Date: Thu, 4 Oct 2012 00:08:56 +0200

Description of the problem:

Commit 644595f89620 ("compat: Handle COMPAT_USE_64BIT_TIME in
net/socket.c") introduced a bug where the helper functions to take
either a 64-bit or compat time[spec|val] got the arguments in the wrong
order, passing the kernel stack pointer off as a user pointer (and vice
versa).

On architectures that use separate address spaces for userspace and
kernel (for example PA-RISC), an unprivileged local user can crash the
system or read kernel memory.

Introduced in:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=644595f89620

Upstream fix:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commit;h=ed6fe9d614f

Acknowledgements:

This issue was discovered by Mikulas Patocka of Red Hat.

Thanks,
-- 
Petr Matousek / Red Hat Security Response Team

Current thread:

CVE Request -- kernel: compat: SIOCGSTAMP/SIOCGSTAMPNS incorrect order of arguments to compat_put_time[val|spec] Petr Matousek (Oct 03)
- Re: CVE Request -- kernel: compat: SIOCGSTAMP/SIOCGSTAMPNS incorrect order of arguments to compat_put_time[val|spec] Kurt Seifried (Oct 03)