[kernel/f19] CVE-2014-0206 aio: insufficient head sanitization in aio_read_events_ring (rhbz 1094602 1112975)
Josh Boyer
jwboyer at fedoraproject.org
Wed Jun 25 12:30:28 UTC 2014
commit 729c85b9ef370993954bfccadb505f24c9173c2c
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date: Wed Jun 25 08:29:10 2014 -0400
CVE-2014-0206 aio: insufficient head sanitization in aio_read_events_ring (rhbz 1094602 1112975)
...-request-leak-when-events-are-reaped-by-u.patch | 48 ++++++++++++++++++++
...nel-memory-disclosure-in-io_getevents-int.patch | 46 +++++++++++++++++++
kernel.spec | 11 +++++
3 files changed, 105 insertions(+), 0 deletions(-)
---
diff --git a/aio-fix-aio-request-leak-when-events-are-reaped-by-u.patch b/aio-fix-aio-request-leak-when-events-are-reaped-by-u.patch
new file mode 100644
index 0000000..fa93d66
--- /dev/null
+++ b/aio-fix-aio-request-leak-when-events-are-reaped-by-u.patch
@@ -0,0 +1,48 @@
+Bugzilla: 1112975
+Upstream-status: 3.16 and CC'd to stable
+
+From f8567a3845ac05bb28f3c1b478ef752762bd39ef Mon Sep 17 00:00:00 2001
+From: Benjamin LaHaise <bcrl at kvack.org>
+Date: Tue, 24 Jun 2014 13:12:55 -0400
+Subject: [PATCH] aio: fix aio request leak when events are reaped by userspace
+
+The aio cleanups and optimizations by kmo that were merged into the 3.10
+tree added a regression for userspace event reaping. Specifically, the
+reference counts are not decremented if the event is reaped in userspace,
+leading to the application being unable to submit further aio requests.
+This patch applies to 3.12+. A separate backport is required for 3.10/3.11.
+This issue was uncovered as part of CVE-2014-0206.
+
+Signed-off-by: Benjamin LaHaise <bcrl at kvack.org>
+Cc: stable at vger.kernel.org
+Cc: Kent Overstreet <kmo at daterainc.com>
+Cc: Mateusz Guzik <mguzik at redhat.com>
+Cc: Petr Matousek <pmatouse at redhat.com>
+---
+ fs/aio.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/fs/aio.c b/fs/aio.c
+index 4f078c054b41..6a9c7e489adf 100644
+--- a/fs/aio.c
++++ b/fs/aio.c
+@@ -1021,6 +1021,7 @@ void aio_complete(struct kiocb *iocb, long res, long res2)
+
+ /* everything turned out well, dispose of the aiocb. */
+ kiocb_free(iocb);
++ put_reqs_available(ctx, 1);
+
+ /*
+ * We have to order our ring_info tail store above and test
+@@ -1100,8 +1101,6 @@ static long aio_read_events_ring(struct kioctx *ctx,
+ flush_dcache_page(ctx->ring_pages[0]);
+
+ pr_debug("%li h%u t%u\n", ret, head, tail);
+-
+- put_reqs_available(ctx, ret);
+ out:
+ mutex_unlock(&ctx->ring_lock);
+
+--
+1.9.3
+
diff --git a/aio-fix-kernel-memory-disclosure-in-io_getevents-int.patch b/aio-fix-kernel-memory-disclosure-in-io_getevents-int.patch
new file mode 100644
index 0000000..831a6a8
--- /dev/null
+++ b/aio-fix-kernel-memory-disclosure-in-io_getevents-int.patch
@@ -0,0 +1,46 @@
+Bugzilla: 1112975
+Upstream-status: 3.16 and CC'd to stable
+
+From edfbbf388f293d70bf4b7c0bc38774d05e6f711a Mon Sep 17 00:00:00 2001
+From: Benjamin LaHaise <bcrl at kvack.org>
+Date: Tue, 24 Jun 2014 13:32:51 -0400
+Subject: [PATCH] aio: fix kernel memory disclosure in io_getevents()
+ introduced in v3.10
+
+A kernel memory disclosure was introduced in aio_read_events_ring() in v3.10
+by commit a31ad380bed817aa25f8830ad23e1a0480fef797. The changes made to
+aio_read_events_ring() failed to correctly limit the index into
+ctx->ring_pages[], allowing an attacked to cause the subsequent kmap() of
+an arbitrary page with a copy_to_user() to copy the contents into userspace.
+This vulnerability has been assigned CVE-2014-0206. Thanks to Mateusz and
+Petr for disclosing this issue.
+
+This patch applies to v3.12+. A separate backport is needed for 3.10/3.11.
+
+Signed-off-by: Benjamin LaHaise <bcrl at kvack.org>
+Cc: Mateusz Guzik <mguzik at redhat.com>
+Cc: Petr Matousek <pmatouse at redhat.com>
+Cc: Kent Overstreet <kmo at daterainc.com>
+Cc: Jeff Moyer <jmoyer at redhat.com>
+Cc: stable at vger.kernel.org
+---
+ fs/aio.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/aio.c b/fs/aio.c
+index 6a9c7e489adf..955947ef3e02 100644
+--- a/fs/aio.c
++++ b/fs/aio.c
+@@ -1063,6 +1063,9 @@ static long aio_read_events_ring(struct kioctx *ctx,
+ if (head == tail)
+ goto out;
+
++ head %= ctx->nr_events;
++ tail %= ctx->nr_events;
++
+ while (ret < nr) {
+ long avail;
+ struct io_event *ev;
+--
+1.9.3
+
diff --git a/kernel.spec b/kernel.spec
index f489f0e..4d61d2e 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -783,6 +783,10 @@ Patch25104: intel_pstate-Update-documentation-of-max-min_perf_pct-sysfs-files.pa
#CVE-2014-4508 rhbz 1111590 1112073
Patch25106: x86_32-entry-Do-syscall-exit-work-on-badsys.patch
+#CVE-2014-0206 rhbz 1094602 1112975
+Patch25107: aio-fix-kernel-memory-disclosure-in-io_getevents-int.patch
+Patch25108: aio-fix-aio-request-leak-when-events-are-reaped-by-u.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1509,6 +1513,10 @@ ApplyPatch intel_pstate-Update-documentation-of-max-min_perf_pct-sysfs-files.pat
#CVE-2014-4508 rhbz 1111590 1112073
ApplyPatch x86_32-entry-Do-syscall-exit-work-on-badsys.patch
+#CVE-2014-0206 rhbz 1094602 1112975
+ApplyPatch aio-fix-kernel-memory-disclosure-in-io_getevents-int.patch
+ApplyPatch aio-fix-aio-request-leak-when-events-are-reaped-by-u.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2321,6 +2329,9 @@ fi
# and build.
%changelog
+* Wed Jun 25 2014 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2014-0206 aio: insufficient head sanitization in aio_read_events_ring (rhbz 1094602 1112975)
+
* Mon Jun 23 2014 Josh Boyer <jwboyer at fedoraproject.org>
- CVE-2014-4508 BUG in x86_32 syscall auditing (rhbz 1111590 1112073)
More information about the scm-commits
mailing list