[rsbac] Buffer overflow in UM leading to potential crash with kernels up to 4.4.y

[Amon Ott]

Hello everyone,

the RSBAC user management (UM) code in kernels up to 4.4.y contains a
buffer overflow in the password checking code. When the password to be
checked has at least 20 characters, one extra 0 is written beyond the
end of the allocated buffer. The bug has been fixed on the fly while
porting RSBAC to the new hashing interface in kernel 4.9, but not for
older kernels.

The overflow can lead to spurious system crashes due to memory
management corruption. In my opinion it cannot be exploited to execute
any code. As a workaround, slub debugging detects and corrects the
corruption. Just add slub_debug to your kernel parameters, if you happen
to use the slub implementation of memory slabs, which should be default
in all recent kernels.

The bug has been fixed today for all supported kernels in the latest git
commits. Additionally, I have attached a patch for the 4.4 kernel series.

Amon.
-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
-------------- next part --------------
A non-text attachment was scrubbed...
Name: um-buffer-fix.diff
Type: text/x-patch
Size: 1682 bytes
Desc: not available
URL: <http://www.rsbac.org/pipermail/rsbac/attachments/20170905/a854dada/attachment.bin>