FPII-2529: inf-discl/ vuln/ in kernel components CVE-2016-7916 A-30951939
If /proc/<PID>/environ gets read before the envp array is fully set up, there
is a potential information disclosure vulnerability as more bytes can be read
than are actually written.
The fix is designed to check the env_end variable to ensure the process spawned
far enough to have an environment and to prevent the potential information
disclosure vulnerability.
based on:
author Mathias Krause <minipli@googlemail.com> 2016-05-05 23:22:26 (GMT)
commit 8148a73c9901a8794a50f950083c00ccf97d43b3 (patch)
proc: prevent accessing /proc/<PID>/environ until it's ready
If /proc/<PID>/environ gets read before the envp[] array is fully set up
in create_{aout,elf,elf_fdpic,flat}_tables(), we might end up trying to
read more bytes than are actually written, as env_start will already be
set but env_end will still be zero, making the range calculation
underflow, allowing to read beyond the end of what has been written.
Fix this as it is done for /proc/<PID>/cmdline by testing env_end for
zero. It is, apparently, intentionally set last in create_*_tables().
This bug was found by the PaX size_overflow plugin that detected the
arithmetic underflow of 'this_len = env_end - (env_start + src)' when
env_end is still zero.
The expected consequence is that userland trying to access
/proc/<PID>/environ of a not yet fully set up process may get
inconsistent data as we're in the middle of copying in the environment
variables.
Change-Id: I78a4db467d05566ced5e5f5ffd0d20bda316b64e
1 file changed