[kernel/f20] CVE-2014-7843 aarch64: copying from /dev/zero causes local DoS (rhbz 1163744 1163745)
Josh Boyer
jwboyer at fedoraproject.org
Thu Nov 13 13:32:37 UTC 2014
commit 273eeba03411754f88b3e215250d3ff2e5022c29
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date: Thu Nov 13 08:30:23 2014 -0500
CVE-2014-7843 aarch64: copying from /dev/zero causes local DoS (rhbz 1163744 1163745)
arm64-__clear_user-handle-exceptions-on-strb.patch | 59 ++++++++++++++++++++
kernel.spec | 7 ++
2 files changed, 66 insertions(+), 0 deletions(-)
---
diff --git a/arm64-__clear_user-handle-exceptions-on-strb.patch b/arm64-__clear_user-handle-exceptions-on-strb.patch
new file mode 100644
index 0000000..3fd69bc
--- /dev/null
+++ b/arm64-__clear_user-handle-exceptions-on-strb.patch
@@ -0,0 +1,59 @@
+From 98e676789aa06582cb0d0f7758e77864b38c12a7 Mon Sep 17 00:00:00 2001
+From: Kyle McMartin <kyle at redhat.com>
+Date: Wed, 12 Nov 2014 16:07:44 -0500
+Subject: [PATCH] arm64: __clear_user: handle exceptions on strb
+
+ARM64 currently doesn't fix up faults on the single-byte (strb) case of
+__clear_user... which means that we can cause a nasty kernel panic as an
+ordinary user with any multiple PAGE_SIZE+1 read from /dev/zero.
+i.e.: dd if=/dev/zero of=foo ibs=1 count=1 (or ibs=65537, etc.)
+
+This is a pretty obscure bug in the general case since we'll only
+__do_kernel_fault (since there's no extable entry for pc) if the
+mmap_sem is contended. However, with CONFIG_DEBUG_VM enabled, we'll
+always fault.
+
+if (!down_read_trylock(&mm->mmap_sem)) {
+ if (!user_mode(regs) && !search_exception_tables(regs->pc))
+ goto no_context;
+retry:
+ down_read(&mm->mmap_sem);
+} else {
+ /*
+ * The above down_read_trylock() might have succeeded in
+ * which
+ * case, we'll have missed the might_sleep() from
+ * down_read().
+ */
+ might_sleep();
+#ifdef CONFIG_DEBUG_VM
+ if (!user_mode(regs) && !search_exception_tables(regs->pc))
+ goto no_context;
+#endif
+}
+
+Fix that by adding an extable entry for the strb instruction, since it
+touches user memory, similar to the other stores in __clear_user.
+
+Signed-off-by: Kyle McMartin <kyle at redhat.com>
+Cc: stable at vger.kernel.org
+---
+ arch/arm64/lib/clear_user.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/lib/clear_user.S b/arch/arm64/lib/clear_user.S
+index 6e0ed93d51fe..c17967fdf5f6 100644
+--- a/arch/arm64/lib/clear_user.S
++++ b/arch/arm64/lib/clear_user.S
+@@ -46,7 +46,7 @@ USER(9f, strh wzr, [x0], #2 )
+ sub x1, x1, #2
+ 4: adds x1, x1, #1
+ b.mi 5f
+- strb wzr, [x0]
++USER(9f, strb wzr, [x0] )
+ 5: mov x0, #0
+ ret
+ ENDPROC(__clear_user)
+--
+1.9.3
+
diff --git a/kernel.spec b/kernel.spec
index 0a0a522..46d7c1b 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -812,6 +812,9 @@ Patch26067: net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch
#CVE-2014-7842 rhbz 1163762 1163767
Patch26068: KVM-x86-Don-t-report-guest-userspace-emulation-error.patch
+#CVE-2014-7843 rhbz 1163744 1163745
+Patch26069: arm64-__clear_user-handle-exceptions-on-strb.patch
+
# git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
Patch30000: kernel-arm64.patch
@@ -1595,6 +1598,9 @@ ApplyPatch net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch
#CVE-2014-7842 rhbz 1163762 1163767
ApplyPatch KVM-x86-Don-t-report-guest-userspace-emulation-error.patch
+#CVE-2014-7843 rhbz 1163744 1163745
+ApplyPatch arm64-__clear_user-handle-exceptions-on-strb.patch
+
%if 0%{?aarch64patches}
ApplyPatch kernel-arm64.patch
%ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
@@ -2414,6 +2420,7 @@ fi
# || ||
%changelog
* Thu Nov 13 2014 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2014-7843 aarch64: copying from /dev/zero causes local DoS (rhbz 1163744 1163745)
- CVE-2014-7842 kvm: reporting emulation failures to userspace (rhbz 1163762 1163767)
* Wed Nov 12 2014 Josh Boyer <jwboyer at fedoraproject.org>
More information about the scm-commits
mailing list