uname under UNAME26 personality leaks kernel stack contents

Bug #1060521 reported by Kees Cook
This bug report is a duplicate of:  Bug #1065622: CVE-2012-0957. Edit Remove
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)

Bug Description

When using the UNAME26 personality, the uname() syscall will leak kernel stack contents:

$ ./uts-leak
Leaked 65 bytes!

Revision history for this message
Kees Cook (kees) wrote :

Here is the PoC

Revision history for this message
Kees Cook (kees) wrote :

Here is the recommended fix. I'd like to get a CVE for this before sending it to upstream.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This is CVE-2012-0957

Revision history for this message
Kees Cook (kees) wrote :

Thanks! I'm setting the upstream CRD to Oct 9th unless I hear otherwise.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This is public now and being tracked in 1065622. Since that is the bug that is going to be used in the changelog, I am going to mark this as a duplicate.

visibility: private → public
Changed in linux (Ubuntu):
status: New → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Unfortunately, the duplicate functionality in LP is timing out. I will mention in bug #1065622 that this is a duplicate.

tags: added: patch
Changed in linux (Ubuntu):
importance: Undecided → High
tags: added: verification-done-quantal
Revision history for this message
Adam Conrad (adconrad) wrote : Update Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.5.0-19.30

linux (3.5.0-19.30) quantal-proposed; urgency=low

  [Luis Henriques]

  * Release Tracking Bug
    - LP: #1078041

  [ Andy Whitcroft ]

  * [Config] update Vcs-git: to point to quantal
    - LP: #1069204

  [ Joseph Salisbury ]

  * SAUCE: ALSA: hda - add quirk for Thinkpad T430
    - LP: #1060372

  [ Tim Gardner ]

  * [Config] CONFIG_USB_OTG=n for all but armel/armhf
    - LP: #1047527
  * [Config] remove ndiswrapper from Provides:
    - LP: #1076395
  * [Config] ONFIG_AMD_IOMMU_V2=m
    - LP: #1071520

  [ Upstream Kernel Changes ]

  * kernel/sys.c: fix stack memory content leak via UNAME26
    - LP: #1065622, #1060521
    - CVE-2012-0957
  * use clamp_t in UNAME26 fix
    - LP: #1065622, #1060521
    - CVE-2012-0957
  * net: fix divide by zero in tcp algorithm illinois
    - LP: #1077091
    - CVE-2012-4565

  [ Wen-chien Jesse Sung ]

  * SAUCE: Bluetooth: Add a load_firmware callback to struct hci_dev
    - LP: #1065400
  * SAUCE: Bluetooth: Implement broadcom patchram firmware loader
    - LP: #1065400
  * SAUCE: Bluetooth: Add support for 13d3:3388 and 13d3:3389
    - LP: #1065400
 -- Luis Henriques <email address hidden> Tue, 13 Nov 2012 15:49:15 +0000

Changed in linux (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Bug attachments