Ubuntu
linux package

uname under UNAME26 personality leaks kernel stack contents

Bug #1060521 reported by Kees Cook
This bug report is a duplicate of:  Bug #1065622: CVE-2012-0957. Edit Remove
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
High
Unassigned

Bug Description

When using the UNAME26 personality, the uname() syscall will leak kernel stack contents:

$ ./uts-leak
3.4.0
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2.6.44
fdf2280000001400000001000000000000000000000040a8dcf200107d77783fdcf25620c87f0020dcf2000000009c3fdcf28230198186010000
Leaked 65 bytes!

Revision history for this message
Kees Cook (kees) wrote :

Here is the PoC

Revision history for this message
Kees Cook (kees) wrote :

Here is the recommended fix. I'd like to get a CVE for this before sending it to upstream.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This is CVE-2012-0957

Revision history for this message
Kees Cook (kees) wrote :

Thanks! I'm setting the upstream CRD to Oct 9th unless I hear otherwise.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This is public now and being tracked in 1065622. Since that is the bug that is going to be used in the changelog, I am going to mark this as a duplicate.

visibility: private → public
Changed in linux (Ubuntu):
status: New → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Unfortunately, the duplicate functionality in LP is timing out. I will mention in bug #1065622 that this is a duplicate.

Ubuntu Foundations Team Bug Bot (crichton)
tags: added: patch
Joseph Salisbury (jsalisbury)
Changed in linux (Ubuntu):
importance: Undecided → High
Herton R. Krzesinski (herton)
tags: added: verification-done-quantal
Revision history for this message
Adam Conrad (adconrad) wrote : Update Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.5.0-19.30

---------------
linux (3.5.0-19.30) quantal-proposed; urgency=low

  [Luis Henriques]

  * Release Tracking Bug
    - LP: #1078041

  [ Andy Whitcroft ]

  * [Config] update Vcs-git: to point to quantal
    - LP: #1069204

  [ Joseph Salisbury ]

  * SAUCE: ALSA: hda - add quirk for Thinkpad T430
    - LP: #1060372

  [ Tim Gardner ]

  * [Config] CONFIG_USB_OTG=n for all but armel/armhf
    - LP: #1047527
  * [Config] remove ndiswrapper from Provides:
    - LP: #1076395
  * [Config] ONFIG_AMD_IOMMU_V2=m
    - LP: #1071520

  [ Upstream Kernel Changes ]

  * kernel/sys.c: fix stack memory content leak via UNAME26
    - LP: #1065622, #1060521
    - CVE-2012-0957
  * use clamp_t in UNAME26 fix
    - LP: #1065622, #1060521
    - CVE-2012-0957
  * net: fix divide by zero in tcp algorithm illinois
    - LP: #1077091
    - CVE-2012-4565

  [ Wen-chien Jesse Sung ]

  * SAUCE: Bluetooth: Add a load_firmware callback to struct hci_dev
    - LP: #1065400
  * SAUCE: Bluetooth: Implement broadcom patchram firmware loader
    - LP: #1065400
  * SAUCE: Bluetooth: Add support for 13d3:3388 and 13d3:3389
    - LP: #1065400
 -- Luis Henriques <email address hidden> Tue, 13 Nov 2012 15:49:15 +0000

Changed in linux (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.