Ubuntu
linux package

Array overflow in au_procfs_plm_write

Bug #1951927 reported by Hangyu Hua
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

There is an simple array overflow when count = 20 in au_procfs_plm_write.

static ssize_t au_procfs_plm_write(struct file *file, const char __user *ubuf,
       size_t count, loff_t *ppos)
{
...
 char buf[3 + sizeof(unsigned long) * 2 + 1];

 err = -EACCES;
 if (unlikely(!capable(CAP_SYS_ADMIN)))
  goto out;

 err = -EINVAL;
 if (unlikely(count > sizeof(buf)))
  goto out;

 err = copy_from_user(buf, ubuf, count);
 if (unlikely(err)) {
  err = -EFAULT;
  goto out;
 }
 buf[count] = 0; <----here

...
}

My suggestion for the patch is:

static ssize_t au_procfs_plm_write(struct file *file, const char __user *ubuf,
       size_t count, loff_t *ppos)
{
...
 char buf[3 + sizeof(unsigned long) * 2 + 1];

 err = -EACCES;
 if (unlikely(!capable(CAP_SYS_ADMIN)))
  goto out;

 err = -EINVAL;
 if (unlikely(count > sizeof(buf)))
  goto out;

 err = copy_from_user(buf, ubuf, count);
 if (unlikely(err)) {
  err = -EFAULT;
  goto out;
 }
--- buf[count] = 0;
+++ buf[count - 1] = 0;

...
}

Marc Deslauriers (mdeslaur)
affects: ubuntu → linux (Ubuntu)
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hey Cascardo, is this one for the kernel team?

Thanks

Revision history for this message
Steve Beattie (sbeattie) wrote :

This is in the aufs out-of-tree module, which was removed from kernels in hirsute's cycle, so only affects 5.4 kernels and older. Also, the capable(CAP_SYS_ADMIN) requires essentially root admin priviliges in the initial namespace in order to take advantage of this.

Based on the that, it's probably best if this is made public and taken directly to the aufs upstream: https://sourceforge.net/projects/aufs/

Cascardo, do you agree?

Revision history for this message
Hangyu Hua (hbh25y) wrote :

Hi guys, I just want to say that this module is still in ubuntu kernel when I found it in Linux ubuntu 5.10.0-1044-oem. But the latest kernel version has removed this module. So i agree with Steve.

Revision history for this message
Steve Beattie (sbeattie) wrote :

Thanks, making this public.

information type: Private Security → Public Security
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1951927

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for linux (Ubuntu) because there has been no activity for 60 days.]

Changed in linux (Ubuntu):
status: Incomplete → Expired
Steve Beattie (sbeattie)
Changed in linux (Ubuntu):
status: Expired → Confirmed
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.