CHROMIUM: fix stack memory contents leak in UNAME26

The UNAME26 personality allows a leak of kernel stack contents. This
fixes it by initializing the stack buffer to zero and truncating the
copy_to_user correctly.

BUG=None
TEST=parrot build, verified proper wiping of stack contents under UNAME26

Change-Id: Iab2ff3b111596db897b33e45de9c5d0b5db9849c
[submitting upstream]
Reported-by: Brad Spengler <spender@grsecurity.net>
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/34482
Reviewed-by: Olof Johansson <olofj@chromium.org>

diff --git a/kernel/sys.c b/kernel/sys.c
index ba0ae8e..8d58d87 100644 (file)
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -1179,13 +1179,13 @@ DECLARE_RWSEM(uts_sem);
  * Work around broken programs that cannot handle "Linux 3.0".
  * Instead we map 3.x to 2.6.40+x, so e.g. 3.0 would be 2.6.40
  */
-static int override_release(char __user *release, int len)
+static int override_release(char __user *release, size_t len)
 {
        int ret = 0;
-       char buf[65];
+       char buf[65] = { 0 };
+       const char *rest = UTS_RELEASE;
 
        if (current->personality & UNAME26) {
-               char *rest = UTS_RELEASE;
                int ndots = 0;
                unsigned v;
 
@@ -1197,7 +1197,9 @@ static int override_release(char __user *release, int len)
                        rest++;
                }
                v = ((LINUX_VERSION_CODE >> 8) & 0xff) + 40;
-               snprintf(buf, len, "2.6.%u%s", v, rest);
+               snprintf(buf, sizeof(buf), "2.6.%u%s", v, rest);
+               if (sizeof(buf) < len)
+                       len = sizeof(buf);
                ret = copy_to_user(release, buf, len);
        }
        return ret;