[kernel/f19] CVE-2014-4508 BUG in x86_32 syscall auditing (rhbz 1111590 1112073)
Josh Boyer
jwboyer at fedoraproject.org
Tue Jun 24 00:16:00 UTC 2014
commit bfa92456eb2d8fb3eea623e09682ae9e6bc3bfa1
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date: Mon Jun 23 20:13:38 2014 -0400
CVE-2014-4508 BUG in x86_32 syscall auditing (rhbz 1111590 1112073)
kernel.spec | 11 ++-
x86_32-entry-Do-syscall-exit-work-on-badsys.patch | 130 +++++++++++++++++++++
2 files changed, 140 insertions(+), 1 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index 54b2757..f489f0e 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -780,6 +780,9 @@ Patch25102: intel_pstate-Fix-setting-VID.patch
Patch25103: intel_pstate-dont-touch-turbo-bit-if-turbo-disabled-or-unavailable.patch
Patch25104: intel_pstate-Update-documentation-of-max-min_perf_pct-sysfs-files.patch
+#CVE-2014-4508 rhbz 1111590 1112073
+Patch25106: x86_32-entry-Do-syscall-exit-work-on-badsys.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1503,6 +1506,9 @@ ApplyPatch intel_pstate-Fix-setting-VID.patch
ApplyPatch intel_pstate-dont-touch-turbo-bit-if-turbo-disabled-or-unavailable.patch
ApplyPatch intel_pstate-Update-documentation-of-max-min_perf_pct-sysfs-files.patch
+#CVE-2014-4508 rhbz 1111590 1112073
+ApplyPatch x86_32-entry-Do-syscall-exit-work-on-badsys.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2315,8 +2321,11 @@ fi
# and build.
%changelog
+* Mon Jun 23 2014 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2014-4508 BUG in x86_32 syscall auditing (rhbz 1111590 1112073)
+
* Fri Jun 20 2014 Josh Boyer <jwboyer at fedoraproject.org>
-- Bring in intel_pstate regression fixes for BayTrail
+- Bring in intel_pstate regression fixes for BayTrail (rhbz 1111920)
* Mon Jun 16 2014 Justin M. Forbes <jforbes at fedoraproject.org> - 3.14.8-100
- Linux v3.14.8
diff --git a/x86_32-entry-Do-syscall-exit-work-on-badsys.patch b/x86_32-entry-Do-syscall-exit-work-on-badsys.patch
new file mode 100644
index 0000000..c174e94
--- /dev/null
+++ b/x86_32-entry-Do-syscall-exit-work-on-badsys.patch
@@ -0,0 +1,130 @@
+Bugzilla: 1112073
+Upstream-status: Sent for 3.16 and CC'd to stable
+Delivered-To: jwboyer at gmail.com
+Received: by 10.76.6.212 with SMTP id d20csp139586oaa;
+ Mon, 23 Jun 2014 14:28:15 -0700 (PDT)
+X-Received: by 10.68.222.196 with SMTP id qo4mr32453892pbc.14.1403558895116;
+ Mon, 23 Jun 2014 14:28:15 -0700 (PDT)
+Return-Path: <stable-owner at vger.kernel.org>
+Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
+ by mx.google.com with ESMTP id bm3si23587434pad.232.2014.06.23.14.27.47
+ for <multiple recipients>;
+ Mon, 23 Jun 2014 14:28:15 -0700 (PDT)
+Received-SPF: none (google.com: stable-owner at vger.kernel.org does not designate permitted sender hosts) client-ip=209.132.180.67;
+Authentication-Results: mx.google.com;
+ spf=neutral (google.com: stable-owner at vger.kernel.org does not designate permitted sender hosts) smtp.mail=stable-owner at vger.kernel.org
+Received: (majordomo at vger.kernel.org) by vger.kernel.org via listexpand
+ id S1752475AbaFWVWX (ORCPT <rfc822;tuffkidtt at gmail.com> + 73 others);
+ Mon, 23 Jun 2014 17:22:23 -0400
+Received: from mail-pb0-f42.google.com ([209.85.160.42]:39692 "EHLO
+ mail-pb0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
+ with ESMTP id S1752518AbaFWVWW (ORCPT
+ <rfc822;stable at vger.kernel.org>); Mon, 23 Jun 2014 17:22:22 -0400
+Received: by mail-pb0-f42.google.com with SMTP id ma3so6319797pbc.15
+ for <stable at vger.kernel.org>; Mon, 23 Jun 2014 14:22:21 -0700 (PDT)
+X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
+ d=1e100.net; s=20130820;
+ h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
+ :references:mime-version:content-type:content-transfer-encoding;
+ bh=7AW5eK5e3OhAcFYPrsffKoD56CbJdqfg9BcyF1JKfUE=;
+ b=iLlWTJCuH9FlKTif4N6XtFZNvj8a/fbsjuP4kWWD/gmHHGEOWI6bh2Jm8X3vcN6GtV
+ f7rqFO0SAMf197e66uME3pq8NzYFad4eRgJpBGON93P22+cPbqrsT9FZjMZqn2bJkEw4
+ EDZZy2MFqm3Kx2m/5g76NLDV1tgafEnwbgL1vg6IxlbPi6J8inkXwKP3FdMoTcfRBO6p
+ dIcI1cV7VDNf6zKaMj+XS/ZiSxqpArhwvZ6xnXRmLfgD+x/JsxEcg2pX03BXHTKO9QNm
+ nixe+cuug0X0E5idHuiLJzV0Wf6IhYsvVz/FvjY16pggduecA2NgNU2e7txqb+IcTBZ/
+ jBbA==
+X-Gm-Message-State: ALoCoQlblcwmTrVjpekrIOzidDrxwB18p5Rfd5SObiPQifpOQZmSFUKrxzV0kxCjcW/wVwxOzAG7
+X-Received: by 10.68.197.8 with SMTP id iq8mr32930210pbc.124.1403558541680;
+ Mon, 23 Jun 2014 14:22:21 -0700 (PDT)
+Received: from localhost (50-76-60-73-ip-static.hfc.comcastbusiness.net. [50.76.60.73])
+ by mx.google.com with ESMTPSA id fl6sm99195659pab.43.2014.06.23.14.22.19
+ for <multiple recipients>
+ (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
+ Mon, 23 Jun 2014 14:22:20 -0700 (PDT)
+From: Andy Lutomirski <luto at amacapital.net>
+Cc: "H. Peter Anvin" <hpa at zytor.com>,
+ Richard Weinberger <richard at nod.at>, X86 ML <x86 at kernel.org>,
+ Eric Paris <eparis at redhat.com>,
+ Linux Kernel <linux-kernel at vger.kernel.org>,
+ security at kernel.org, Steven Rostedt <rostedt at goodmis.org>,
+ Borislav Petkov <bp at alien8.de>,
+ =?UTF-8?q?Toralf=20F=C3=B6rster?= <toralf.foerster at gmx.de>,
+ Andy Lutomirski <luto at amacapital.net>, stable at vger.kernel.org,
+ Roland McGrath <roland at redhat.com>
+Subject: [PATCH] x86_32,entry: Do syscall exit work on badsys (CVE-2014-4508)
+Date: Mon, 23 Jun 2014 14:22:15 -0700
+Message-Id: <e09c499eade6fc321266dd6b54da7beb28d6991c.1403558229.git.luto at amacapital.net>
+X-Mailer: git-send-email 1.9.3
+In-Reply-To: <CA+5PVA70nFS8JZkL0-Q-1HjFHT5NA04275_M4WstjQMrpT+hrQ at mail.gmail.com>
+References: <CA+5PVA70nFS8JZkL0-Q-1HjFHT5NA04275_M4WstjQMrpT+hrQ at mail.gmail.com>
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+To: unlisted-recipients:; (no To-header on input)
+Sender: stable-owner at vger.kernel.org
+Precedence: bulk
+List-ID: <stable.vger.kernel.org>
+X-Mailing-List: stable at vger.kernel.org
+
+The bad syscall nr paths are their own incomprehensible route
+through the entry control flow. Rearrange them to work just like
+syscalls that return -ENOSYS.
+
+This fixes an OOPS in the audit code when fast-path auditing is
+enabled and sysenter gets a bad syscall nr (CVE-2014-4508).
+
+This has probably been broken since Linux 2.6.27:
+af0575bba0 i386 syscall audit fast-path
+
+Cc: stable at vger.kernel.org
+Cc: Roland McGrath <roland at redhat.com>
+Reported-by: Toralf Förster <toralf.foerster at gmx.de>
+Signed-off-by: Andy Lutomirski <luto at amacapital.net>
+---
+
+I realize that the syscall audit fast path and badsys code, on 32-bit
+x86 no less, is possibly one of the least fun things in the kernel to
+review, but this is still a real security bug and should get fixed :(
+
+So I'm cc-ing a bunch of people and maybe someone will review it.
+
+ arch/x86/kernel/entry_32.S | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
+index a2a4f46..f4258a5 100644
+--- a/arch/x86/kernel/entry_32.S
++++ b/arch/x86/kernel/entry_32.S
+@@ -431,9 +431,10 @@ sysenter_past_esp:
+ jnz sysenter_audit
+ sysenter_do_call:
+ cmpl $(NR_syscalls), %eax
+- jae syscall_badsys
++ jae sysenter_badsys
+ call *sys_call_table(,%eax,4)
+ movl %eax,PT_EAX(%esp)
++sysenter_after_call:
+ LOCKDEP_SYS_EXIT
+ DISABLE_INTERRUPTS(CLBR_ANY)
+ TRACE_IRQS_OFF
+@@ -688,7 +689,12 @@ END(syscall_fault)
+
+ syscall_badsys:
+ movl $-ENOSYS,PT_EAX(%esp)
+- jmp resume_userspace
++ jmp syscall_exit
++END(syscall_badsys)
++
++sysenter_badsys:
++ movl $-ENOSYS,PT_EAX(%esp)
++ jmp sysenter_after_call
+ END(syscall_badsys)
+ CFI_ENDPROC
+ /*
+--
+1.9.3
+
+--
+To unsubscribe from this list: send the line "unsubscribe stable" in
+the body of a message to majordomo at vger.kernel.org
+More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the scm-commits
mailing list