From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
Nelson Elhage <nelhage@ksplice.com>,
KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Subject: [26/44] do_exit(): make sure that we run with get_fs() == USER_DS
Date: Tue, 07 Dec 2010 16:04:25 -0800 [thread overview]
Message-ID: <20101208000642.151033921@clark.site> (raw)
In-Reply-To: <20101208003205.GA4286@kroah.com>
2.6.27-stable review patch. If anyone has any objections, please let us know.
------------------
From: Nelson Elhage <nelhage@ksplice.com>
commit 33dd94ae1ccbfb7bf0fb6c692bc3d1c4269e6177 upstream.
If a user manages to trigger an oops with fs set to KERNEL_DS, fs is not
otherwise reset before do_exit(). do_exit may later (via mm_release in
fork.c) do a put_user to a user-controlled address, potentially allowing
a user to leverage an oops into a controlled write into kernel memory.
This is only triggerable in the presence of another bug, but this
potentially turns a lot of DoS bugs into privilege escalations, so it's
worth fixing. I have proof-of-concept code which uses this bug along
with CVE-2010-3849 to write a zero to an arbitrary kernel address, so
I've tested that this is not theoretical.
A more logical place to put this fix might be when we know an oops has
occurred, before we call do_exit(), but that would involve changing
every architecture, in multiple places.
Let's just stick it in do_exit instead.
[akpm@linux-foundation.org: update code comment]
Signed-off-by: Nelson Elhage <nelhage@ksplice.com>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
kernel/exit.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -1004,6 +1004,15 @@ NORET_TYPE void do_exit(long code)
if (unlikely(!tsk->pid))
panic("Attempted to kill the idle task!");
+ /*
+ * If do_exit is called because this processes oopsed, it's possible
+ * that get_fs() was left as KERNEL_DS, so reset it to USER_DS before
+ * continuing. Amongst other possible reasons, this is to prevent
+ * mm_release()->clear_child_tid() from writing to a user-controlled
+ * kernel address.
+ */
+ set_fs(USER_DS);
+
tracehook_report_exit(&code);
/*
next prev parent reply other threads:[~2010-12-08 0:38 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-12-08 0:32 [00/44] 2.6.27.57-stable review Greg KH
2010-12-08 0:04 ` [01/44] block: check for proper length of iov entries in blk_rq_map_user_iov() Greg KH
2010-12-08 0:04 ` [02/44] irda: Fix parameter extraction stack overflow Greg KH
2010-12-08 0:04 ` [03/44] irda: Fix heap memory corruption in iriap.c Greg KH
2010-12-08 0:04 ` [04/44] percpu: fix list_head init bug in __percpu_counter_init() Greg KH
2010-12-08 0:04 ` [05/44] um: fix global timer issue when using CONFIG_NO_HZ Greg KH
2010-12-08 0:04 ` [06/44] numa: fix slab_node(MPOL_BIND) Greg KH
2010-12-08 3:03 ` Lee Schermerhorn
2010-12-08 3:03 ` Lee Schermerhorn
2010-12-08 4:17 ` Greg KH
2010-12-08 4:37 ` Eric Dumazet
2010-12-08 13:54 ` Lee Schermerhorn
2010-12-08 4:33 ` Eric Dumazet
2010-12-08 5:07 ` Eric Dumazet
2010-12-08 13:53 ` Lee Schermerhorn
2010-12-08 0:04 ` [07/44] mm: fix return value of scan_lru_pages in memory unplug Greg KH
2010-12-08 0:04 ` [08/44] mm: fix is_mem_section_removable() page_order BUG_ON check Greg KH
2010-12-08 0:04 ` [09/44] ipc: initialize structure memory to zero for compat functions Greg KH
2010-12-08 0:04 ` [10/44] ipc: shm: fix information leak to userland Greg KH
2010-12-08 0:04 ` [11/44] sys_semctl: fix kernel stack leakage Greg KH
2010-12-08 0:04 ` [12/44] drivers/char/vt_ioctl.c: fix VT_OPENQRY error value Greg KH
2010-12-08 0:04 ` [13/44] eCryptfs: Clear LOOKUP_OPEN flag when creating lower file Greg KH
2010-12-08 0:04 ` [14/44] bio: take care not overflow page count when mapping/copying user data Greg KH
2010-12-08 0:04 ` [15/44] libata: fix NULL sdev dereference race in atapi_qc_complete() Greg KH
2010-12-08 0:04 ` [16/44] usb: misc: sisusbvga: fix information leak to userland Greg KH
2010-12-08 0:04 ` [17/44] usb: misc: iowarrior: " Greg KH
2010-12-08 0:04 ` [18/44] usb: core: " Greg KH
2010-12-08 0:04 ` [19/44] USB: EHCI: fix obscure race in ehci_endpoint_disable Greg KH
2010-12-08 0:04 ` [20/44] USB: storage: sierra_ms: fix sysfs file attribute Greg KH
2010-12-08 0:04 ` [21/44] USB: atm: ueagle-atm: fix up some permissions on the sysfs files Greg KH
2010-12-08 0:04 ` [22/44] USB: misc: cypress_cy7c63: fix up some sysfs attribute permissions Greg KH
2010-12-08 0:04 ` [23/44] USB: misc: usbled: " Greg KH
2010-12-08 0:04 ` [24/44] USB: misc: trancevibrator: fix up a sysfs attribute permission Greg KH
2010-12-08 0:04 ` [25/44] acpi-cpufreq: fix a memleak when unloading driver Greg KH
2010-12-08 0:04 ` Greg KH [this message]
2010-12-08 0:04 ` [27/44] DECnet: dont leak uninitialized stack byte Greg KH
2010-12-08 0:04 ` [28/44] ARM: 6482/2: Fix find_next_zero_bit and related assembly Greg KH
2010-12-08 0:04 ` [29/44] net: clear heap allocations for privileged ethtool actions Greg KH
2010-12-08 0:04 ` [30/44] xfrm4: strip ECN and IP Precedence bits in policy lookup Greg KH
2010-12-08 0:04 ` [31/44] net: Fix IPv6 PMTU disc. w/ asymmetric routes Greg KH
2010-12-08 0:04 ` [32/44] rose: Fix signedness issues wrt. digi count Greg KH
2010-12-08 0:04 ` [33/44] net: Fix the condition passed to sk_wait_event() Greg KH
2010-12-08 0:04 ` [34/44] Limit sysctl_tcp_mem and sysctl_udp_mem initializers to prevent integer overflows Greg KH
2010-12-08 1:22 ` Linus Torvalds
2010-12-08 4:16 ` Greg KH
2010-12-08 5:50 ` Eric Dumazet
2010-12-08 16:25 ` David Miller
2010-12-08 23:13 ` Greg KH
2010-12-08 0:04 ` [35/44] tcp: Fix race in tcp_poll Greg KH
2010-12-08 0:04 ` [36/44] net: Truncate recvfrom and sendto length to INT_MAX Greg KH
2010-12-08 0:04 ` [37/44] ipv6: conntrack: Add member of user to nf_ct_frag6_queue structure Greg KH
2010-12-08 0:04 ` [38/44] x25: Patch to fix bug 15678 - x25 accesses fields beyond end of packet Greg KH
2010-12-08 0:04 ` [39/44] memory corruption in X.25 facilities parsing Greg KH
2010-12-08 0:04 ` [40/44] can-bcm: fix minor heap overflow Greg KH
2010-12-08 0:04 ` [41/44] V4L/DVB: ivtvfb: prevent reading uninitialized stack memory Greg KH
2010-12-08 0:04 ` [42/44] x25: Prevent crashing when parsing bad X.25 facilities Greg KH
2010-12-08 0:04 ` [43/44] econet: disallow NULL remote addr for sendmsg(), fixes CVE-2010-3849 Greg KH
2010-12-08 0:04 ` [44/44] econet: fix CVE-2010-3850 Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20101208000642.151033921@clark.site \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=kosaki.motohiro@jp.fujitsu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=nelhage@ksplice.com \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox