|
 |
2c67cd6 |
Bugzilla: 1112073
|
|
|
2c67cd6 |
Upstream-status: Sent for 3.16 and CC'd to stable
|
|
|
2c67cd6 |
Delivered-To: jwboyer@gmail.com
|
|
|
2c67cd6 |
Received: by 10.76.6.212 with SMTP id d20csp139586oaa;
|
|
|
2c67cd6 |
Mon, 23 Jun 2014 14:28:15 -0700 (PDT)
|
|
|
2c67cd6 |
X-Received: by 10.68.222.196 with SMTP id qo4mr32453892pbc.14.1403558895116;
|
|
|
2c67cd6 |
Mon, 23 Jun 2014 14:28:15 -0700 (PDT)
|
|
|
2c67cd6 |
Return-Path: <stable-owner@vger.kernel.org>
|
|
|
2c67cd6 |
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
|
|
|
2c67cd6 |
by mx.google.com with ESMTP id bm3si23587434pad.232.2014.06.23.14.27.47
|
|
|
2c67cd6 |
for <multiple recipients>;
|
|
|
2c67cd6 |
Mon, 23 Jun 2014 14:28:15 -0700 (PDT)
|
|
|
2c67cd6 |
Received-SPF: none (google.com: stable-owner@vger.kernel.org does not designate permitted sender hosts) client-ip=209.132.180.67;
|
|
|
2c67cd6 |
Authentication-Results: mx.google.com;
|
|
|
2c67cd6 |
spf=neutral (google.com: stable-owner@vger.kernel.org does not designate permitted sender hosts) smtp.mail=stable-owner@vger.kernel.org
|
|
|
2c67cd6 |
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
|
|
|
2c67cd6 |
id S1752475AbaFWVWX (ORCPT <rfc822;tuffkidtt@gmail.com> + 73 others);
|
|
|
2c67cd6 |
Mon, 23 Jun 2014 17:22:23 -0400
|
|
|
2c67cd6 |
Received: from mail-pb0-f42.google.com ([209.85.160.42]:39692 "EHLO
|
|
|
2c67cd6 |
mail-pb0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
|
|
|
2c67cd6 |
with ESMTP id S1752518AbaFWVWW (ORCPT
|
|
|
2c67cd6 |
<rfc822;stable@vger.kernel.org>); Mon, 23 Jun 2014 17:22:22 -0400
|
|
|
2c67cd6 |
Received: by mail-pb0-f42.google.com with SMTP id ma3so6319797pbc.15
|
|
|
2c67cd6 |
for <stable@vger.kernel.org>; Mon, 23 Jun 2014 14:22:21 -0700 (PDT)
|
|
|
2c67cd6 |
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
|
|
|
2c67cd6 |
d=1e100.net; s=20130820;
|
|
|
2c67cd6 |
h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
|
|
|
2c67cd6 |
:references:mime-version:content-type:content-transfer-encoding;
|
|
|
2c67cd6 |
bh=7AW5eK5e3OhAcFYPrsffKoD56CbJdqfg9BcyF1JKfUE=;
|
|
|
2c67cd6 |
b=iLlWTJCuH9FlKTif4N6XtFZNvj8a/fbsjuP4kWWD/gmHHGEOWI6bh2Jm8X3vcN6GtV
|
|
|
2c67cd6 |
f7rqFO0SAMf197e66uME3pq8NzYFad4eRgJpBGON93P22+cPbqrsT9FZjMZqn2bJkEw4
|
|
|
2c67cd6 |
EDZZy2MFqm3Kx2m/5g76NLDV1tgafEnwbgL1vg6IxlbPi6J8inkXwKP3FdMoTcfRBO6p
|
|
|
2c67cd6 |
dIcI1cV7VDNf6zKaMj+XS/ZiSxqpArhwvZ6xnXRmLfgD+x/JsxEcg2pX03BXHTKO9QNm
|
|
|
2c67cd6 |
nixe+cuug0X0E5idHuiLJzV0Wf6IhYsvVz/FvjY16pggduecA2NgNU2e7txqb+IcTBZ/
|
|
|
2c67cd6 |
jBbA==
|
|
|
2c67cd6 |
X-Gm-Message-State: ALoCoQlblcwmTrVjpekrIOzidDrxwB18p5Rfd5SObiPQifpOQZmSFUKrxzV0kxCjcW/wVwxOzAG7
|
|
|
2c67cd6 |
X-Received: by 10.68.197.8 with SMTP id iq8mr32930210pbc.124.1403558541680;
|
|
|
2c67cd6 |
Mon, 23 Jun 2014 14:22:21 -0700 (PDT)
|
|
|
2c67cd6 |
Received: from localhost (50-76-60-73-ip-static.hfc.comcastbusiness.net. [50.76.60.73])
|
|
|
2c67cd6 |
by mx.google.com with ESMTPSA id fl6sm99195659pab.43.2014.06.23.14.22.19
|
|
|
2c67cd6 |
for <multiple recipients>
|
|
|
2c67cd6 |
(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
|
|
|
2c67cd6 |
Mon, 23 Jun 2014 14:22:20 -0700 (PDT)
|
|
|
2c67cd6 |
From: Andy Lutomirski <luto@amacapital.net>
|
|
|
2c67cd6 |
Cc: "H. Peter Anvin" <hpa@zytor.com>,
|
|
|
2c67cd6 |
Richard Weinberger <richard@nod.at>, X86 ML <x86@kernel.org>,
|
|
|
2c67cd6 |
Eric Paris <eparis@redhat.com>,
|
|
|
2c67cd6 |
Linux Kernel <linux-kernel@vger.kernel.org>,
|
|
|
2c67cd6 |
security@kernel.org, Steven Rostedt <rostedt@goodmis.org>,
|
|
|
2c67cd6 |
Borislav Petkov <bp@alien8.de>,
|
|
|
2c67cd6 |
=?UTF-8?q?Toralf=20F=C3=B6rster?= <toralf.foerster@gmx.de>,
|
|
|
2c67cd6 |
Andy Lutomirski <luto@amacapital.net>, stable@vger.kernel.org,
|
|
|
2c67cd6 |
Roland McGrath <roland@redhat.com>
|
|
|
2c67cd6 |
Subject: [PATCH] x86_32,entry: Do syscall exit work on badsys (CVE-2014-4508)
|
|
|
2c67cd6 |
Date: Mon, 23 Jun 2014 14:22:15 -0700
|
|
|
2c67cd6 |
Message-Id: <e09c499eade6fc321266dd6b54da7beb28d6991c.1403558229.git.luto@amacapital.net>
|
|
|
2c67cd6 |
X-Mailer: git-send-email 1.9.3
|
|
|
2c67cd6 |
In-Reply-To: <CA+5PVA70nFS8JZkL0-Q-1HjFHT5NA04275_M4WstjQMrpT+hrQ@mail.gmail.com>
|
|
|
2c67cd6 |
References: <CA+5PVA70nFS8JZkL0-Q-1HjFHT5NA04275_M4WstjQMrpT+hrQ@mail.gmail.com>
|
|
|
2c67cd6 |
MIME-Version: 1.0
|
|
|
2c67cd6 |
Content-Type: text/plain; charset=UTF-8
|
|
|
2c67cd6 |
Content-Transfer-Encoding: 8bit
|
|
|
2c67cd6 |
To: unlisted-recipients:; (no To-header on input)
|
|
|
2c67cd6 |
Sender: stable-owner@vger.kernel.org
|
|
|
2c67cd6 |
Precedence: bulk
|
|
|
2c67cd6 |
List-ID: <stable.vger.kernel.org>
|
|
|
2c67cd6 |
X-Mailing-List: stable@vger.kernel.org
|
|
|
2c67cd6 |
|
|
|
2c67cd6 |
The bad syscall nr paths are their own incomprehensible route
|
|
|
2c67cd6 |
through the entry control flow. Rearrange them to work just like
|
|
|
2c67cd6 |
syscalls that return -ENOSYS.
|
|
|
2c67cd6 |
|
|
|
2c67cd6 |
This fixes an OOPS in the audit code when fast-path auditing is
|
|
|
2c67cd6 |
enabled and sysenter gets a bad syscall nr (CVE-2014-4508).
|
|
|
2c67cd6 |
|
|
|
2c67cd6 |
This has probably been broken since Linux 2.6.27:
|
|
|
2c67cd6 |
af0575bba0 i386 syscall audit fast-path
|
|
|
2c67cd6 |
|
|
|
2c67cd6 |
Cc: stable@vger.kernel.org
|
|
|
2c67cd6 |
Cc: Roland McGrath <roland@redhat.com>
|
|
|
2c67cd6 |
Reported-by: Toralf Förster <toralf.foerster@gmx.de>
|
|
|
2c67cd6 |
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
|
|
|
2c67cd6 |
---
|
|
|
2c67cd6 |
|
|
|
2c67cd6 |
I realize that the syscall audit fast path and badsys code, on 32-bit
|
|
|
2c67cd6 |
x86 no less, is possibly one of the least fun things in the kernel to
|
|
|
2c67cd6 |
review, but this is still a real security bug and should get fixed :(
|
|
|
2c67cd6 |
|
|
|
2c67cd6 |
So I'm cc-ing a bunch of people and maybe someone will review it.
|
|
|
2c67cd6 |
|
|
|
2c67cd6 |
arch/x86/kernel/entry_32.S | 10 ++++++++--
|
|
|
2c67cd6 |
1 file changed, 8 insertions(+), 2 deletions(-)
|
|
|
2c67cd6 |
|
|
|
2c67cd6 |
diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
|
|
|
2c67cd6 |
index a2a4f46..f4258a5 100644
|
|
|
2c67cd6 |
--- a/arch/x86/kernel/entry_32.S
|
|
|
2c67cd6 |
+++ b/arch/x86/kernel/entry_32.S
|
|
|
2c67cd6 |
@@ -431,9 +431,10 @@ sysenter_past_esp:
|
|
|
2c67cd6 |
jnz sysenter_audit
|
|
|
2c67cd6 |
sysenter_do_call:
|
|
|
2c67cd6 |
cmpl $(NR_syscalls), %eax
|
|
|
2c67cd6 |
- jae syscall_badsys
|
|
|
2c67cd6 |
+ jae sysenter_badsys
|
|
|
2c67cd6 |
call *sys_call_table(,%eax,4)
|
|
|
2c67cd6 |
movl %eax,PT_EAX(%esp)
|
|
|
2c67cd6 |
+sysenter_after_call:
|
|
|
2c67cd6 |
LOCKDEP_SYS_EXIT
|
|
|
2c67cd6 |
DISABLE_INTERRUPTS(CLBR_ANY)
|
|
|
2c67cd6 |
TRACE_IRQS_OFF
|
|
|
2c67cd6 |
@@ -688,7 +689,12 @@ END(syscall_fault)
|
|
|
2c67cd6 |
|
|
|
2c67cd6 |
syscall_badsys:
|
|
|
2c67cd6 |
movl $-ENOSYS,PT_EAX(%esp)
|
|
|
2c67cd6 |
- jmp resume_userspace
|
|
|
2c67cd6 |
+ jmp syscall_exit
|
|
|
2c67cd6 |
+END(syscall_badsys)
|
|
|
2c67cd6 |
+
|
|
|
2c67cd6 |
+sysenter_badsys:
|
|
|
2c67cd6 |
+ movl $-ENOSYS,PT_EAX(%esp)
|
|
|
2c67cd6 |
+ jmp sysenter_after_call
|
|
|
2c67cd6 |
END(syscall_badsys)
|
|
|
2c67cd6 |
CFI_ENDPROC
|
|
|
2c67cd6 |
/*
|
|
|
2c67cd6 |
--
|
|
|
2c67cd6 |
1.9.3
|
|
|
2c67cd6 |
|
|
|
2c67cd6 |
--
|
|
|
2c67cd6 |
To unsubscribe from this list: send the line "unsubscribe stable" in
|
|
|
2c67cd6 |
the body of a message to majordomo@vger.kernel.org
|
|
|
2c67cd6 |
More majordomo info at http://vger.kernel.org/majordomo-info.html
|