CVE-2014-7843 aarch64: copying from /dev/zero causes local DoS (rhbz 1163744 1163745)

2014-11-13 08:30:23 -05:00 · 2014-11-13 08:30:23 -05:00 · d31dd42af0
commit d31dd42af0
parent d21f4c390b
2 changed files with 68 additions and 0 deletions
--- a/arm64-__clear_user-handle-exceptions-on-strb.patch
+++ b/arm64-__clear_user-handle-exceptions-on-strb.patch
@ -0,0 +1,59 @@
 From 98e676789aa06582cb0d0f7758e77864b38c12a7 Mon Sep 17 00:00:00 2001
 From: Kyle McMartin <kyle@redhat.com>
 Date: Wed, 12 Nov 2014 16:07:44 -0500
 Subject: [PATCH] arm64: __clear_user: handle exceptions on strb
 ARM64 currently doesn't fix up faults on the single-byte (strb) case of
 __clear_user... which means that we can cause a nasty kernel panic as an
 ordinary user with any multiple PAGE_SIZE+1 read from /dev/zero.
 i.e.: dd if=/dev/zero of=foo ibs=1 count=1 (or ibs=65537, etc.)
 This is a pretty obscure bug in the general case since we'll only
 __do_kernel_fault (since there's no extable entry for pc) if the
 mmap_sem is contended. However, with CONFIG_DEBUG_VM enabled, we'll
 always fault.
 if (!down_read_trylock(&mm->mmap_sem)) {
 	if (!user_mode(regs) && !search_exception_tables(regs->pc))
 		goto no_context;
 retry:
 	down_read(&mm->mmap_sem);
 } else {
 	/*
 	 * The above down_read_trylock() might have succeeded in
 	 * which
 	 * case, we'll have missed the might_sleep() from
 	 * down_read().
 	 */
 	might_sleep();
 #ifdef CONFIG_DEBUG_VM
 	if (!user_mode(regs) && !search_exception_tables(regs->pc))
 		goto no_context;
 #endif
 }
 Fix that by adding an extable entry for the strb instruction, since it
 touches user memory, similar to the other stores in __clear_user.
 Signed-off-by: Kyle McMartin <kyle@redhat.com>
 Cc: stable@vger.kernel.org
 ---
 arch/arm64/lib/clear_user.S | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/arch/arm64/lib/clear_user.S b/arch/arm64/lib/clear_user.S
 index 6e0ed93d51fe..c17967fdf5f6 100644
 --- a/arch/arm64/lib/clear_user.S
 +++ b/arch/arm64/lib/clear_user.S
@@ -46,7 +46,7 @@ USER(9f, strh	wzr, [x0], #2	)
 	sub	x1, x1, #2
 4:	adds	x1, x1, #1
 	b.mi	5f
 -	strb	wzr, [x0]
 +USER(9f, strb	wzr, [x0]	)
 5:	mov	x0, #0
 	ret
 ENDPROC(__clear_user)
 -- 
 1.9.3
--- a/kernel.spec
+++ b/kernel.spec
@ -622,6 +622,9 @@ Patch26066: ahci-disable-MSI-instead-of-NCQ-on-Samsung-pci-e-SSD.patch
 #CVE-2014-7841 rhbz 1163087 1163095
 Patch26067: net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch
 #CVE-2014-7843 rhbz 1163744 1163745
 Patch26069: arm64-__clear_user-handle-exceptions-on-strb.patch
 # git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
 Patch30000: kernel-arm64.patch
@ -1353,6 +1356,9 @@ ApplyPatch ahci-disable-MSI-instead-of-NCQ-on-Samsung-pci-e-SSD.patch
 #CVE-2014-7841 rhbz 1163087 1163095
 ApplyPatch net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch
 #CVE-2014-7843 rhbz 1163744 1163745
 ApplyPatch arm64-__clear_user-handle-exceptions-on-strb.patch
 %if 0%{?aarch64patches}
 ApplyPatch kernel-arm64.patch
 %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
@ -2221,6 +2227,9 @@ fi
 #                                    ||----w |
 #                                    ||     ||
 %changelog
 * Thu Nov 13 2014 Josh Boyer <jwboyer@fedoraproject.org>
 - CVE-2014-7843 aarch64: copying from /dev/zero causes local DoS (rhbz 1163744 1163745)
 * Thu Nov 13 2014 Josh Boyer <jwboyer@fedoraproject.org> - 3.18.0-0.rc4.git1.1
 - Linux v3.18-rc4-52-g04689e749b7e
 - Reenable debugging options.