[kernel/f14/master] security fixes from git head
Kyle McMartin
kyle at fedoraproject.org
Wed Sep 15 00:51:56 UTC 2010
commit a1b0ec05b621ca8913da33170907e522ff9391dc
Author: Kyle McMartin <kyle at dreadnought.i.jkkm.org>
Date: Tue Sep 14 20:51:27 2010 -0400
security fixes from git head
...ser_space-incorporate-the-access_ok-check.patch | 189 ++++++++++++++++++++
...st-rax-for-the-system-call-number-not-eax.patch | 97 ++++++++++
...cate-rax-after-ia32-syscall-entry-tracing.patch | 49 +++++
...r-multiplication-overflow-in-do_io_submit.patch | 47 +++++
kernel.spec | 18 ++-
5 files changed, 399 insertions(+), 1 deletions(-)
---
diff --git a/01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch b/01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch
new file mode 100644
index 0000000..f0ecb03
--- /dev/null
+++ b/01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch
@@ -0,0 +1,189 @@
+From c41d68a513c71e35a14f66d71782d27a79a81ea6 Mon Sep 17 00:00:00 2001
+From: H. Peter Anvin <hpa at linux.intel.com>
+Date: Tue, 7 Sep 2010 16:16:18 -0700
+Subject: [PATCH] compat: Make compat_alloc_user_space() incorporate the access_ok()
+
+compat_alloc_user_space() expects the caller to independently call
+access_ok() to verify the returned area. A missing call could
+introduce problems on some architectures.
+
+This patch incorporates the access_ok() check into
+compat_alloc_user_space() and also adds a sanity check on the length.
+The existing compat_alloc_user_space() implementations are renamed
+arch_compat_alloc_user_space() and are used as part of the
+implementation of the new global function.
+
+This patch assumes NULL will cause __get_user()/__put_user() to either
+fail or access userspace on all architectures. This should be
+followed by checking the return value of compat_access_user_space()
+for NULL in the callers, at which time the access_ok() in the callers
+can also be removed.
+
+Reported-by: Ben Hawkes <hawkes at sota.gen.nz>
+Signed-off-by: H. Peter Anvin <hpa at linux.intel.com>
+Acked-by: Benjamin Herrenschmidt <benh at kernel.crashing.org>
+Acked-by: Chris Metcalf <cmetcalf at tilera.com>
+Acked-by: David S. Miller <davem at davemloft.net>
+Acked-by: Ingo Molnar <mingo at elte.hu>
+Acked-by: Thomas Gleixner <tglx at linutronix.de>
+Acked-by: Tony Luck <tony.luck at intel.com>
+Cc: Andrew Morton <akpm at linux-foundation.org>
+Cc: Arnd Bergmann <arnd at arndb.de>
+Cc: Fenghua Yu <fenghua.yu at intel.com>
+Cc: H. Peter Anvin <hpa at zytor.com>
+Cc: Heiko Carstens <heiko.carstens at de.ibm.com>
+Cc: Helge Deller <deller at gmx.de>
+Cc: James Bottomley <jejb at parisc-linux.org>
+Cc: Kyle McMartin <kyle at mcmartin.ca>
+Cc: Martin Schwidefsky <schwidefsky at de.ibm.com>
+Cc: Paul Mackerras <paulus at samba.org>
+Cc: Ralf Baechle <ralf at linux-mips.org>
+Cc: <stable at kernel.org>
+---
+ arch/ia64/include/asm/compat.h | 2 +-
+ arch/mips/include/asm/compat.h | 2 +-
+ arch/parisc/include/asm/compat.h | 2 +-
+ arch/powerpc/include/asm/compat.h | 2 +-
+ arch/s390/include/asm/compat.h | 2 +-
+ arch/sparc/include/asm/compat.h | 2 +-
+ arch/x86/include/asm/compat.h | 2 +-
+ include/linux/compat.h | 3 +++
+ kernel/compat.c | 21 +++++++++++++++++++++
+ 10 files changed, 32 insertions(+), 8 deletions(-)
+
+diff --git a/arch/ia64/include/asm/compat.h b/arch/ia64/include/asm/compat.h
+index f90edc8..9301a28 100644
+--- a/arch/ia64/include/asm/compat.h
++++ b/arch/ia64/include/asm/compat.h
+@@ -199,7 +199,7 @@ ptr_to_compat(void __user *uptr)
+ }
+
+ static __inline__ void __user *
+-compat_alloc_user_space (long len)
++arch_compat_alloc_user_space (long len)
+ {
+ struct pt_regs *regs = task_pt_regs(current);
+ return (void __user *) (((regs->r12 & 0xffffffff) & -16) - len);
+diff --git a/arch/mips/include/asm/compat.h b/arch/mips/include/asm/compat.h
+index 613f691..dbc5106 100644
+--- a/arch/mips/include/asm/compat.h
++++ b/arch/mips/include/asm/compat.h
+@@ -145,7 +145,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
+ return (u32)(unsigned long)uptr;
+ }
+
+-static inline void __user *compat_alloc_user_space(long len)
++static inline void __user *arch_compat_alloc_user_space(long len)
+ {
+ struct pt_regs *regs = (struct pt_regs *)
+ ((unsigned long) current_thread_info() + THREAD_SIZE - 32) - 1;
+diff --git a/arch/parisc/include/asm/compat.h b/arch/parisc/include/asm/compat.h
+index 02b77ba..efa0b60 100644
+--- a/arch/parisc/include/asm/compat.h
++++ b/arch/parisc/include/asm/compat.h
+@@ -147,7 +147,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
+ return (u32)(unsigned long)uptr;
+ }
+
+-static __inline__ void __user *compat_alloc_user_space(long len)
++static __inline__ void __user *arch_compat_alloc_user_space(long len)
+ {
+ struct pt_regs *regs = ¤t->thread.regs;
+ return (void __user *)regs->gr[30];
+diff --git a/arch/powerpc/include/asm/compat.h b/arch/powerpc/include/asm/compat.h
+index 396d21a..a11d4ea 100644
+--- a/arch/powerpc/include/asm/compat.h
++++ b/arch/powerpc/include/asm/compat.h
+@@ -134,7 +134,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
+ return (u32)(unsigned long)uptr;
+ }
+
+-static inline void __user *compat_alloc_user_space(long len)
++static inline void __user *arch_compat_alloc_user_space(long len)
+ {
+ struct pt_regs *regs = current->thread.regs;
+ unsigned long usp = regs->gpr[1];
+diff --git a/arch/s390/include/asm/compat.h b/arch/s390/include/asm/compat.h
+index 104f200..a875c2f 100644
+--- a/arch/s390/include/asm/compat.h
++++ b/arch/s390/include/asm/compat.h
+@@ -181,7 +181,7 @@ static inline int is_compat_task(void)
+
+ #endif
+
+-static inline void __user *compat_alloc_user_space(long len)
++static inline void __user *arch_compat_alloc_user_space(long len)
+ {
+ unsigned long stack;
+
+diff --git a/arch/sparc/include/asm/compat.h b/arch/sparc/include/asm/compat.h
+index 5016f76..6f57325 100644
+--- a/arch/sparc/include/asm/compat.h
++++ b/arch/sparc/include/asm/compat.h
+@@ -167,7 +167,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
+ return (u32)(unsigned long)uptr;
+ }
+
+-static inline void __user *compat_alloc_user_space(long len)
++static inline void __user *arch_compat_alloc_user_space(long len)
+ {
+ struct pt_regs *regs = current_thread_info()->kregs;
+ unsigned long usp = regs->u_regs[UREG_I6];
+diff --git a/arch/x86/include/asm/compat.h b/arch/x86/include/asm/compat.h
+index 306160e..1d9cd27 100644
+--- a/arch/x86/include/asm/compat.h
++++ b/arch/x86/include/asm/compat.h
+@@ -205,7 +205,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
+ return (u32)(unsigned long)uptr;
+ }
+
+-static inline void __user *compat_alloc_user_space(long len)
++static inline void __user *arch_compat_alloc_user_space(long len)
+ {
+ struct pt_regs *regs = task_pt_regs(current);
+ return (void __user *)regs->sp - len;
+diff --git a/include/linux/compat.h b/include/linux/compat.h
+index 9ddc878..5778b55 100644
+--- a/include/linux/compat.h
++++ b/include/linux/compat.h
+@@ -360,5 +360,8 @@ extern ssize_t compat_rw_copy_check_uvector(int type,
+ const struct compat_iovec __user *uvector, unsigned long nr_segs,
+ unsigned long fast_segs, struct iovec *fast_pointer,
+ struct iovec **ret_pointer);
++
++extern void __user *compat_alloc_user_space(unsigned long len);
++
+ #endif /* CONFIG_COMPAT */
+ #endif /* _LINUX_COMPAT_H */
+diff --git a/kernel/compat.c b/kernel/compat.c
+index e167efc..c9e2ec0 100644
+--- a/kernel/compat.c
++++ b/kernel/compat.c
+@@ -1126,3 +1126,24 @@ compat_sys_sysinfo(struct compat_sysinfo __user *info)
+
+ return 0;
+ }
++
++/*
++ * Allocate user-space memory for the duration of a single system call,
++ * in order to marshall parameters inside a compat thunk.
++ */
++void __user *compat_alloc_user_space(unsigned long len)
++{
++ void __user *ptr;
++
++ /* If len would occupy more than half of the entire compat space... */
++ if (unlikely(len > (((compat_uptr_t)~0) >> 1)))
++ return NULL;
++
++ ptr = arch_compat_alloc_user_space(len);
++
++ if (unlikely(!access_ok(VERIFY_WRITE, ptr, len)))
++ return NULL;
++
++ return ptr;
++}
++EXPORT_SYMBOL_GPL(compat_alloc_user_space);
+--
+1.7.2.3
+
diff --git a/02-compat-test-rax-for-the-system-call-number-not-eax.patch b/02-compat-test-rax-for-the-system-call-number-not-eax.patch
new file mode 100644
index 0000000..15ff0ca
--- /dev/null
+++ b/02-compat-test-rax-for-the-system-call-number-not-eax.patch
@@ -0,0 +1,97 @@
+From 36d001c70d8a0144ac1d038f6876c484849a74de Mon Sep 17 00:00:00 2001
+From: H. Peter Anvin <hpa at linux.intel.com>
+Date: Tue, 14 Sep 2010 12:42:41 -0700
+Subject: [PATCH] x86-64, compat: Test %rax for the syscall number, not %eax
+
+On 64 bits, we always, by necessity, jump through the system call
+table via %rax. For 32-bit system calls, in theory the system call
+number is stored in %eax, and the code was testing %eax for a valid
+system call number. At one point we loaded the stored value back from
+the stack to enforce zero-extension, but that was removed in checkin
+d4d67150165df8bf1cc05e532f6efca96f907cab. An actual 32-bit process
+will not be able to introduce a non-zero-extended number, but it can
+happen via ptrace.
+
+Instead of re-introducing the zero-extension, test what we are
+actually going to use, i.e. %rax. This only adds a handful of REX
+prefixes to the code.
+
+Reported-by: Ben Hawkes <hawkes at sota.gen.nz>
+Signed-off-by: H. Peter Anvin <hpa at linux.intel.com>
+Cc: <stable at kernel.org>
+Cc: Roland McGrath <roland at redhat.com>
+Cc: Andrew Morton <akpm at linux-foundation.org>
+---
+ arch/x86/ia32/ia32entry.S | 14 +++++++-------
+ 1 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
+index b86feab..84e3a4e 100644
+--- a/arch/x86/ia32/ia32entry.S
++++ b/arch/x86/ia32/ia32entry.S
+@@ -153,7 +153,7 @@ ENTRY(ia32_sysenter_target)
+ testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
+ CFI_REMEMBER_STATE
+ jnz sysenter_tracesys
+- cmpl $(IA32_NR_syscalls-1),%eax
++ cmpq $(IA32_NR_syscalls-1),%rax
+ ja ia32_badsys
+ sysenter_do_call:
+ IA32_ARG_FIXUP
+@@ -195,7 +195,7 @@ sysexit_from_sys_call:
+ movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */
+ call audit_syscall_entry
+ movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */
+- cmpl $(IA32_NR_syscalls-1),%eax
++ cmpq $(IA32_NR_syscalls-1),%rax
+ ja ia32_badsys
+ movl %ebx,%edi /* reload 1st syscall arg */
+ movl RCX-ARGOFFSET(%rsp),%esi /* reload 2nd syscall arg */
+@@ -248,7 +248,7 @@ sysenter_tracesys:
+ call syscall_trace_enter
+ LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
+ RESTORE_REST
+- cmpl $(IA32_NR_syscalls-1),%eax
++ cmpq $(IA32_NR_syscalls-1),%rax
+ ja int_ret_from_sys_call /* sysenter_tracesys has set RAX(%rsp) */
+ jmp sysenter_do_call
+ CFI_ENDPROC
+@@ -314,7 +314,7 @@ ENTRY(ia32_cstar_target)
+ testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
+ CFI_REMEMBER_STATE
+ jnz cstar_tracesys
+- cmpl $IA32_NR_syscalls-1,%eax
++ cmpq $IA32_NR_syscalls-1,%rax
+ ja ia32_badsys
+ cstar_do_call:
+ IA32_ARG_FIXUP 1
+@@ -367,7 +367,7 @@ cstar_tracesys:
+ LOAD_ARGS32 ARGOFFSET, 1 /* reload args from stack in case ptrace changed it */
+ RESTORE_REST
+ xchgl %ebp,%r9d
+- cmpl $(IA32_NR_syscalls-1),%eax
++ cmpq $(IA32_NR_syscalls-1),%rax
+ ja int_ret_from_sys_call /* cstar_tracesys has set RAX(%rsp) */
+ jmp cstar_do_call
+ END(ia32_cstar_target)
+@@ -425,7 +425,7 @@ ENTRY(ia32_syscall)
+ orl $TS_COMPAT,TI_status(%r10)
+ testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
+ jnz ia32_tracesys
+- cmpl $(IA32_NR_syscalls-1),%eax
++ cmpq $(IA32_NR_syscalls-1),%rax
+ ja ia32_badsys
+ ia32_do_call:
+ IA32_ARG_FIXUP
+@@ -444,7 +444,7 @@ ia32_tracesys:
+ call syscall_trace_enter
+ LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
+ RESTORE_REST
+- cmpl $(IA32_NR_syscalls-1),%eax
++ cmpq $(IA32_NR_syscalls-1),%rax
+ ja int_ret_from_sys_call /* ia32_tracesys has set RAX(%rsp) */
+ jmp ia32_do_call
+ END(ia32_syscall)
+--
+1.7.2.3
+
diff --git a/03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch b/03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch
new file mode 100644
index 0000000..b7fa739
--- /dev/null
+++ b/03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch
@@ -0,0 +1,49 @@
+From eefdca043e8391dcd719711716492063030b55ac Mon Sep 17 00:00:00 2001
+From: Roland McGrath <roland at redhat.com>
+Date: Tue, 14 Sep 2010 12:22:58 -0700
+Subject: [PATCH] x86-64, compat: Retruncate rax after ia32 syscall entry tracing
+
+In commit d4d6715, we reopened an old hole for a 64-bit ptracer touching a
+32-bit tracee in system call entry. A %rax value set via ptrace at the
+entry tracing stop gets used whole as a 32-bit syscall number, while we
+only check the low 32 bits for validity.
+
+Fix it by truncating %rax back to 32 bits after syscall_trace_enter,
+in addition to testing the full 64 bits as has already been added.
+
+Reported-by: Ben Hawkes <hawkes at sota.gen.nz>
+Signed-off-by: Roland McGrath <roland at redhat.com>
+Signed-off-by: H. Peter Anvin <hpa at linux.intel.com>
+---
+ arch/x86/ia32/ia32entry.S | 8 +++++++-
+ 1 files changed, 7 insertions(+), 1 deletions(-)
+
+diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
+index 84e3a4e..518bb99 100644
+--- a/arch/x86/ia32/ia32entry.S
++++ b/arch/x86/ia32/ia32entry.S
+@@ -50,7 +50,12 @@
+ /*
+ * Reload arg registers from stack in case ptrace changed them.
+ * We don't reload %eax because syscall_trace_enter() returned
+- * the value it wants us to use in the table lookup.
++ * the %rax value we should see. Instead, we just truncate that
++ * value to 32 bits again as we did on entry from user mode.
++ * If it's a new value set by user_regset during entry tracing,
++ * this matches the normal truncation of the user-mode value.
++ * If it's -1 to make us punt the syscall, then (u32)-1 is still
++ * an appropriately invalid value.
+ */
+ .macro LOAD_ARGS32 offset, _r9=0
+ .if \_r9
+@@ -60,6 +65,7 @@
+ movl \offset+48(%rsp),%edx
+ movl \offset+56(%rsp),%esi
+ movl \offset+64(%rsp),%edi
++ movl %eax,%eax /* zero extension */
+ .endm
+
+ .macro CFI_STARTPROC32 simple
+--
+1.7.2.3
+
diff --git a/aio-check-for-multiplication-overflow-in-do_io_submit.patch b/aio-check-for-multiplication-overflow-in-do_io_submit.patch
new file mode 100644
index 0000000..36b949c
--- /dev/null
+++ b/aio-check-for-multiplication-overflow-in-do_io_submit.patch
@@ -0,0 +1,47 @@
+From 75e1c70fc31490ef8a373ea2a4bea2524099b478 Mon Sep 17 00:00:00 2001
+From: Jeff Moyer <jmoyer at redhat.com>
+Date: Fri, 10 Sep 2010 14:16:00 -0700
+Subject: [PATCH] aio: check for multiplication overflow in do_io_submit
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+Tavis Ormandy pointed out that do_io_submit does not do proper bounds
+checking on the passed-in iocb array:
+
+Â Â Â Â if (unlikely(nr < 0))
+Â Â Â Â Â Â Â Â return -EINVAL;
+
+Â Â Â Â if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(iocbpp)))))
+Â Â Â Â Â Â Â Â return -EFAULT; Â Â Â Â Â Â Â Â Â Â Â ^^^^^^^^^^^^^^^^^^
+
+The attached patch checks for overflow, and if it is detected, the
+number of iocbs submitted is scaled down to a number that will fit in
+the long. Â This is an ok thing to do, as sys_io_submit is documented as
+returning the number of iocbs submitted, so callers should handle a
+return value of less than the 'nr' argument passed in.
+
+Reported-by: Tavis Ormandy <taviso at cmpxchg8b.com>
+Signed-off-by: Jeff Moyer <jmoyer at redhat.com>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ fs/aio.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+diff --git a/fs/aio.c b/fs/aio.c
+index 3006b5b..1320b2a 100644
+--- a/fs/aio.c
++++ b/fs/aio.c
+@@ -1659,6 +1659,9 @@ long do_io_submit(aio_context_t ctx_id, long nr,
+ if (unlikely(nr < 0))
+ return -EINVAL;
+
++ if (unlikely(nr > LONG_MAX/sizeof(*iocbpp)))
++ nr = LONG_MAX/sizeof(*iocbpp);
++
+ if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(*iocbpp)))))
+ return -EFAULT;
+
+--
+1.7.2.3
+
diff --git a/kernel.spec b/kernel.spec
index d0a488b..1c0201b 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -48,7 +48,7 @@ Summary: The Linux kernel
# reset this by hand to 1 (or to 0 and then use rpmdev-bumpspec).
# scripts/rebase.sh should be made to do that for you, actually.
#
-%global baserelease 26
+%global baserelease 28
%global fedora_build %{baserelease}
# base_sublevel is the kernel version we're starting with and patching
@@ -602,11 +602,17 @@ Patch30: git-utrace.patch
Patch31: utrace-ptrace-fix-build.patch
Patch32: utrace-remove-use-of-kref_set.patch
+Patch101: 01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch
+Patch102: 02-compat-test-rax-for-the-system-call-number-not-eax.patch
+Patch103: 03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch
+
Patch150: linux-2.6.29-sparc-IOC_TYPECHECK.patch
Patch160: linux-2.6-32bit-mmap-exec-randomization.patch
Patch161: linux-2.6-i386-nx-emulation.patch
+Patch180: aio-check-for-multiplication-overflow-in-do_io_submit.patch
+
Patch200: linux-2.6-debug-sizeof-structs.patch
Patch201: linux-2.6-debug-nmi-timeout.patch
Patch202: linux-2.6-debug-taint-vm.patch
@@ -1155,6 +1161,9 @@ ApplyPatch utrace-remove-use-of-kref_set.patch
# Architecture patches
# x86(-64)
+ApplyPatch 01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch
+ApplyPatch 02-compat-test-rax-for-the-system-call-number-not-eax.patch
+ApplyPatch 03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch
#
# Intel IOMMU
@@ -1179,6 +1188,8 @@ ApplyPatch linux-2.6-32bit-mmap-exec-randomization.patch
# bugfixes to drivers and filesystems
#
+ApplyPatch aio-check-for-multiplication-overflow-in-do_io_submit.patch
+
# ext4
# xfs
@@ -1932,6 +1943,11 @@ fi
# and build.
%changelog
+* Tue Sep 14 2010 Kyle McMartin <kyle at redhat.com> 2.6.35.4-28
+- x86_64: plug compat syscalls holes. (CVE-2010-3081, CVE-2010-3301)
+ upgrading is highly recommended.
+- aio: check for multiplication overflow in do_io_submit.
+
* Mon Sep 13 2010 Chuck Ebbert <cebbert at redhat.com>
- Add support for perl and python scripting to perf (#632942)
More information about the scm-commits
mailing list