From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, PaX Team <pageexec@freemail.hu>,
"H. Peter Anvin" <hpa@linux.intel.com>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 3.4 04/37] x86, x32: Correct invalid use of user timespec in the kernel
Date: Tue, 4 Feb 2014 13:00:40 -0800 [thread overview]
Message-ID: <20140204210056.132380353@linuxfoundation.org> (raw)
In-Reply-To: <20140204210055.992134150@linuxfoundation.org>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: PaX Team <pageexec@freemail.hu>
commit 2def2ef2ae5f3990aabdbe8a755911902707d268 upstream.
The x32 case for the recvmsg() timout handling is broken:
asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg,
unsigned int vlen, unsigned int flags,
struct compat_timespec __user *timeout)
{
int datagrams;
struct timespec ktspec;
if (flags & MSG_CMSG_COMPAT)
return -EINVAL;
if (COMPAT_USE_64BIT_TIME)
return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
flags | MSG_CMSG_COMPAT,
(struct timespec *) timeout);
...
The timeout pointer parameter is provided by userland (hence the __user
annotation) but for x32 syscalls it's simply cast to a kernel pointer
and is passed to __sys_recvmmsg which will eventually directly
dereference it for both reading and writing. Other callers to
__sys_recvmmsg properly copy from userland to the kernel first.
The bug was introduced by commit ee4fa23c4bfc ("compat: Use
COMPAT_USE_64BIT_TIME in net/compat.c") and should affect all kernels
since 3.4 (and perhaps vendor kernels if they backported x32 support
along with this code).
Note that CONFIG_X86_X32_ABI gets enabled at build time and only if
CONFIG_X86_X32 is enabled and ld can build x32 executables.
Other uses of COMPAT_USE_64BIT_TIME seem fine.
This addresses CVE-2014-0038.
Signed-off-by: PaX Team <pageexec@freemail.hu>
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/compat.c | 9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)
--- a/net/compat.c
+++ b/net/compat.c
@@ -789,21 +789,16 @@ asmlinkage long compat_sys_recvmmsg(int
if (flags & MSG_CMSG_COMPAT)
return -EINVAL;
- if (COMPAT_USE_64BIT_TIME)
- return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
- flags | MSG_CMSG_COMPAT,
- (struct timespec *) timeout);
-
if (timeout == NULL)
return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
flags | MSG_CMSG_COMPAT, NULL);
- if (get_compat_timespec(&ktspec, timeout))
+ if (compat_get_timespec(&ktspec, timeout))
return -EFAULT;
datagrams = __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
flags | MSG_CMSG_COMPAT, &ktspec);
- if (datagrams > 0 && put_compat_timespec(&ktspec, timeout))
+ if (datagrams > 0 && compat_put_timespec(&ktspec, timeout))
datagrams = -EFAULT;
return datagrams;
next prev parent reply other threads:[~2014-02-04 23:16 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-04 21:00 [PATCH 3.4 00/37] 3.4.79-stable review Greg Kroah-Hartman
2014-02-04 21:00 ` [PATCH 3.4 01/37] md/raid5: fix long-standing problem with bitmap handling on write failure Greg Kroah-Hartman
2014-02-04 21:00 ` [PATCH 3.4 02/37] mm: hugetlbfs: fix hugetlbfs optimization Greg Kroah-Hartman
2014-02-04 21:00 ` [PATCH 3.4 03/37] e752x_edac: Fix pci_dev usage count Greg Kroah-Hartman
2014-02-04 21:00 ` Greg Kroah-Hartman [this message]
2014-02-04 21:00 ` [PATCH 3.4 05/37] usb: option: add new zte 3g modem pids to option driver Greg Kroah-Hartman
2014-02-04 21:00 ` [PATCH 3.4 07/37] USB: cypress_m8: fix ring-indicator detection and reporting Greg Kroah-Hartman
2014-02-04 21:00 ` [PATCH 3.4 08/37] USB: Nokia 502 is an unusual device Greg Kroah-Hartman
2014-02-04 21:00 ` [PATCH 3.4 09/37] usb: xhci: Check for XHCI_PLAT in xhci_cleanup_msix() Greg Kroah-Hartman
2014-02-04 21:00 ` [PATCH 3.4 10/37] rtlwifi: rtl8192cu: Add new device ID Greg Kroah-Hartman
2014-02-04 21:00 ` [PATCH 3.4 11/37] rtlwifi: Set the link state Greg Kroah-Hartman
2014-02-04 21:00 ` [PATCH 3.4 12/37] rtlwifi: rtl8192cu: Fix some code in RF handling Greg Kroah-Hartman
2014-02-04 21:00 ` [PATCH 3.4 13/37] b43: Fix lockdep splat Greg Kroah-Hartman
2014-02-04 21:00 ` [PATCH 3.4 14/37] b43: Fix unload oops if firmware is not available Greg Kroah-Hartman
2014-02-04 21:00 ` [PATCH 3.4 15/37] b43legacy: " Greg Kroah-Hartman
2014-02-04 21:00 ` [PATCH 3.4 16/37] b43: fix the wrong assignment of status.freq in b43_rx() Greg Kroah-Hartman
2014-02-04 21:00 ` [PATCH 3.4 17/37] staging: r8712u: Set device type to wlan Greg Kroah-Hartman
2014-02-04 21:00 ` [PATCH 3.4 18/37] staging: vt6656: [BUG] BBvUpdatePreEDThreshold Always set sensitivity on bScanning Greg Kroah-Hartman
2014-02-04 21:00 ` [PATCH 3.4 19/37] tty/serial: at91: Handle shutdown more safely Greg Kroah-Hartman
2014-02-04 21:00 ` [PATCH 3.4 20/37] ARM: at91: smc: bug fix in sam9_smc_cs_read() Greg Kroah-Hartman
2014-02-04 21:00 ` [PATCH 3.4 21/37] serial: add support for 200 v3 series Titan card Greg Kroah-Hartman
2014-02-04 21:00 ` [PATCH 3.4 22/37] parport: parport_pc: remove double PCI ID for NetMos Greg Kroah-Hartman
2014-02-04 21:00 ` [PATCH 3.4 23/37] rtc-cmos: Add an alarm disable quirk Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.4 24/37] ASoC: adau1701: Fix ADAU1701_SEROCTL_WORD_LEN_16 constant Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.4 25/37] ALSA: rme9652: fix a missing comma in channel_map_9636_ds[] Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.4 26/37] ALSA: Enable CONFIG_ZONE_DMA for smaller PCI DMA masks Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.4 28/37] bnx2x: fix DMA unmapping of TSO split BDs Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.4 29/37] inet_diag: fix inet_diag_dump_icsk() timewait socket state logic Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.4 30/37] net: avoid reference counter overflows on fib_rules in multicast forwarding Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.4 31/37] net,via-rhine: Fix tx_timeout handling Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.4 32/37] KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367) Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.4 33/37] usb: core: get config and string descriptors for unauthorized devices Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.4 34/37] SCSI: bfa: Chinook quad port 16G FC HBA claim issue Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.4 35/37] target/iscsi: Fix network portal creation race Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.4 36/37] Btrfs: handle EAGAIN case properly in btrfs_drop_snapshot() Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.4 37/37] powerpc: Make sure "cache" directory is removed when offlining cpu Greg Kroah-Hartman
2014-02-04 21:52 ` [PATCH 3.4 00/37] 3.4.79-stable review Guillaume Morin
2014-02-04 22:11 ` Greg Kroah-Hartman
2014-02-04 22:22 ` Guillaume Morin
2014-02-04 22:31 ` Greg Kroah-Hartman
2014-02-04 22:48 ` John Stultz
2014-02-04 23:35 ` Greg Kroah-Hartman
2014-02-05 6:36 ` Guenter Roeck
2014-02-05 20:38 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140204210056.132380353@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=hpa@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pageexec@freemail.hu \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.