CVE-2014-7843 aarch64: copying from /dev/zero causes local DoS (rhbz 1163744 1163745)

arm64-__clear_user-handle-exceptions-on-strb.patch

@@ -0,0 +1,59 @@
+From 98e676789aa06582cb0d0f7758e77864b38c12a7 Mon Sep 17 00:00:00 2001
+From: Kyle McMartin <kyle@redhat.com>
+Date: Wed, 12 Nov 2014 16:07:44 -0500
+Subject: [PATCH] arm64: __clear_user: handle exceptions on strb
+
+ARM64 currently doesn't fix up faults on the single-byte (strb) case of
+__clear_user... which means that we can cause a nasty kernel panic as an
+ordinary user with any multiple PAGE_SIZE+1 read from /dev/zero.
+i.e.: dd if=/dev/zero of=foo ibs=1 count=1 (or ibs=65537, etc.)
+
+This is a pretty obscure bug in the general case since we'll only
+__do_kernel_fault (since there's no extable entry for pc) if the
+mmap_sem is contended. However, with CONFIG_DEBUG_VM enabled, we'll
+always fault.
+
+if (!down_read_trylock(&mm->mmap_sem)) {
+	if (!user_mode(regs) && !search_exception_tables(regs->pc))
+		goto no_context;
+retry:
+	down_read(&mm->mmap_sem);
+} else {
+	/*
+	 * The above down_read_trylock() might have succeeded in
+	 * which
+	 * case, we'll have missed the might_sleep() from
+	 * down_read().
+	 */
+	might_sleep();
+#ifdef CONFIG_DEBUG_VM
+	if (!user_mode(regs) && !search_exception_tables(regs->pc))
+		goto no_context;
+#endif
+}
+
+Fix that by adding an extable entry for the strb instruction, since it
+touches user memory, similar to the other stores in __clear_user.
+
+Signed-off-by: Kyle McMartin <kyle@redhat.com>
+Cc: stable@vger.kernel.org
+---
+ arch/arm64/lib/clear_user.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/lib/clear_user.S b/arch/arm64/lib/clear_user.S
+index 6e0ed93d51fe..c17967fdf5f6 100644
+--- a/arch/arm64/lib/clear_user.S
++++ b/arch/arm64/lib/clear_user.S
+@@ -46,7 +46,7 @@ USER(9f, strh	wzr, [x0], #2	)
+ 	sub	x1, x1, #2
+ 4:	adds	x1, x1, #1
+ 	b.mi	5f
+-	strb	wzr, [x0]
++USER(9f, strb	wzr, [x0]	)
+ 5:	mov	x0, #0
+ 	ret
+ ENDPROC(__clear_user)
+-- 
+1.9.3
+

kernel.spec

@@ -622,6 +622,9 @@ Patch26066: ahci-disable-MSI-instead-of-NCQ-on-Samsung-pci-e-SSD.patch
 #CVE-2014-7841 rhbz 1163087 1163095
 Patch26067: net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch
 
+#CVE-2014-7843 rhbz 1163744 1163745
+Patch26069: arm64-__clear_user-handle-exceptions-on-strb.patch
+
 # git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
 Patch30000: kernel-arm64.patch
 
@@ -1353,6 +1356,9 @@ ApplyPatch ahci-disable-MSI-instead-of-NCQ-on-Samsung-pci-e-SSD.patch
 #CVE-2014-7841 rhbz 1163087 1163095
 ApplyPatch net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch
 
+#CVE-2014-7843 rhbz 1163744 1163745
+ApplyPatch arm64-__clear_user-handle-exceptions-on-strb.patch
+
 %if 0%{?aarch64patches}
 ApplyPatch kernel-arm64.patch
 %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
@@ -2221,6 +2227,9 @@ fi
 #                                    ||----w |
 #                                    ||     ||
 %changelog
+* Thu Nov 13 2014 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2014-7843 aarch64: copying from /dev/zero causes local DoS (rhbz 1163744 1163745)
+
 * Thu Nov 13 2014 Josh Boyer <jwboyer@fedoraproject.org> - 3.18.0-0.rc4.git1.1
 - Linux v3.18-rc4-52-g04689e749b7e
 - Reenable debugging options.