Bug 986794 - (CVE-2014-9903) VUL-0: CVE-2014-9903: kernel-source: The sched_read_attr function in kernel/sched/core.c in the Linuxkernel 3.14-rc before 3.14-rc4 uses...
VUL-0: CVE-2014-9903: kernel-source: The sched_read_attr function in kernel/s...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P5 - None : Normal
: ---
Assigned To: E-mail List
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2016-06-28 09:41 UTC by Marcus Meissner
Modified: 2016-06-28 10:42 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-06-28 09:41:14 UTC

The sched_read_attr function in kernel/sched/core.c in the Linux
kernel 3.14-rc before 3.14-rc4 uses an incorrect size, which allows
local users to obtain sensitive information from kernel stack memory
via a crafted sched_getattr system call.

Comment 1 Marcus Meissner 2016-06-28 10:40:35 UTC
I have actually no furhter information.

with the 2014 id and the function i think it is:

commit 4efbc454ba68def5ef285b26ebfcfdb605b52755
Author: Vegard Nossum <vegard.nossum@oracle.com>
Date:   Sun Feb 16 22:24:17 2014 +0100

    sched: Fix information leak in sys_sched_getattr()
    We're copying the on-stack structure to userspace, but forgot to give
    the right number of bytes to copy. This allows the calling process to
    obtain up to PAGE_SIZE bytes from the stack (and possibly adjacent
    kernel memory).
    This fix copies only as much as we actually have on the stack
    (attr->size defaults to the size of the struct) and leaves the rest of
    the userspace-provided buffer untouched.
    Found using kmemcheck + trinity.
    Fixes: d50dde5a10f30 ("sched: Add new scheduler syscalls to support an extended scheduling parameters ABI")
    Cc: Dario Faggioli <raistlin@linux.it>
    Cc: Juri Lelli <juri.lelli@gmail.com>
    Cc: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
    Signed-off-by: Peter Zijlstra <peterz@infradead.org>
    Link: http://lkml.kernel.org/r/1392585857-10725-1-git-send-email-vegard.nossum@oracle.com
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>

diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index 33d030a..a6e7470 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -3786,7 +3786,7 @@ static int sched_read_attr(struct sched_attr __user *uattr,
                attr->size = usize;
-       ret = copy_to_user(uattr, attr, usize);
+       ret = copy_to_user(uattr, attr, attr->size);
        if (ret)
                return -EFAULT;
Comment 2 Marcus Meissner 2016-06-28 10:42:56 UTC
d50dde5a10f30 was added for 3.13, the fix was added for 3.14.

this range does not cover any suse linux / opensuse product.