From: "Toralf Förster" <toralf.foerster@gmx.de>
To: Andy Lutomirski <luto@amacapital.net>, "H. Peter Anvin" <hpa@zytor.com>
Cc: Richard Weinberger <richard@nod.at>, X86 ML <x86@kernel.org>,
Eric Paris <eparis@redhat.com>,
Linux Kernel <linux-kernel@vger.kernel.org>
Subject: Re: 3.15: kernel BUG at kernel/auditsc.c:1525!
Date: Fri, 20 Jun 2014 19:35:29 +0200 [thread overview]
Message-ID: <53A470E1.6090004@gmx.de> (raw)
In-Reply-To: <CALCETrXhmLGvD0ff2HhRmL33UnYvb7eEbEqREANLYYDTJcwN7Q@mail.gmail.com>
On 06/20/2014 05:41 PM, Andy Lutomirski wrote:
> On Mon, Jun 16, 2014 at 2:48 PM, H. Peter Anvin <hpa@zytor.com> wrote:
>> On 06/16/2014 02:35 PM, Andy Lutomirski wrote:
>>>
>>> To hpa, etc: It appears that entry_32.S is missing any call to the
>>> audit exit hook on the badsys path. If I'm diagnosing this bug report
>>> correctly, this causes OOPSes.
>>>
>>> The the world at large: it's increasingly apparent that no one (except
>>> maybe the blackhats) has ever scrutinized the syscall auditing code.
>>> This is two old severe bugs in the code that have probably been there
>>> for a long time.
>>>
>>
>> Yes, the audit code is a total mess.
>>
>>> The bad syscall nr paths are their own incomprehensible route
>>> through the entry control flow. Rearrange them to work just like
>>> syscalls that return -ENOSYS.
>>
>> I have to admit... it sort of lends itself to a solution like this:
>>
>> /* For the 64-bit case, analogous code for 32 bits */
>> movl $__NR_syscall_max+1,%ecx # *Not* __NR_syscall_max
>> cmpq %rcx,%rax
>> cmovae %rcx,%rax
>> movq %r10,%rcx
>> call *sys_call_table(,%rax,8)
>>
>> ... and having an extra (invalid) system call slot in the syscall table
>> beyond the end instead of branching off separately.
>>
>> (Note: we could use either cmova or cmovae, and either the 32- or 64-bit
>> form... the reason why is left as an exercise to the reader.)
>
> This is CVE-2014-4508, and it's probably worth fixing.
>
> Is my patch good? I can resent and cc stable if needed.
>
> --Andy
>
I'm running my system since the time you sent it to me w/o any problems with that patch on top of 3.15.1 :
tfoerste@n22 ~/devel/linux $ cat ~/devel/priv/0001-x86_32-entry-Fix-badsys-paths.patch
>From 8b43bd2118d876cb3163e8f7d9cd8253da649335 Mon Sep 17 00:00:00 2001
Message-Id: <8b43bd2118d876cb3163e8f7d9cd8253da649335.1402954406.git.luto@amacapital.net>
From: Andy Lutomirski <luto@amacapital.net>
Date: Mon, 16 Jun 2014 14:28:19 -0700
Subject: [PATCH] x86_32,entry: Fix badsys paths
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The bad syscall nr paths are their own incomprehensible route
through the entry control flow. Rearrange them to work just like
syscalls that return -ENOSYS.
This should fix an OOPS in the audit code when auditing is enabled
and bad syscall nrs are used.
Reported-by: Toralf Förster <toralf.foerster@gmx.de>
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
---
--
Toralf
next prev parent reply other threads:[~2014-06-20 17:35 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-16 16:33 3.15: kernel BUG at kernel/auditsc.c:1525! Toralf Förster
2014-06-16 17:21 ` Richard Weinberger
2014-06-16 17:25 ` Andy Lutomirski
2014-06-16 17:29 ` Richard Weinberger
2014-06-16 17:32 ` Andy Lutomirski
2014-06-16 17:36 ` Toralf Förster
2014-06-16 17:50 ` Andy Lutomirski
2014-06-16 17:59 ` Toralf Förster
2014-06-16 18:15 ` Andy Lutomirski
2014-06-16 18:21 ` Toralf Förster
2014-06-16 18:24 ` Andy Lutomirski
2014-06-16 18:36 ` Toralf Förster
2014-06-16 20:41 ` Toralf Förster
2014-06-16 20:43 ` Richard Weinberger
2014-06-16 21:35 ` Andy Lutomirski
2014-06-16 21:48 ` H. Peter Anvin
2014-06-16 21:54 ` Andy Lutomirski
2014-06-16 21:58 ` H. Peter Anvin
2014-06-16 22:00 ` Andy Lutomirski
2014-06-20 15:41 ` Andy Lutomirski
2014-06-20 17:35 ` Toralf Förster [this message]
2014-06-23 21:04 ` Josh Boyer
2014-06-23 21:22 ` [PATCH] x86_32,entry: Do syscall exit work on badsys (CVE-2014-4508) Andy Lutomirski
2014-06-23 22:18 ` [tip:x86/urgent] x86_32, entry: Do syscall exit work on badsys ( CVE-2014-4508) tip-bot for Andy Lutomirski
2014-06-24 10:51 ` [PATCH] x86_32,entry: Do syscall exit work on badsys (CVE-2014-4508) Borislav Petkov
2014-06-24 20:53 ` Andy Lutomirski
2014-06-24 21:18 ` Borislav Petkov
2014-07-01 10:52 ` Quentin Casasnovas
2014-07-01 14:14 ` Andy Lutomirski
2014-06-17 15:38 ` 3.15: kernel BUG at kernel/auditsc.c:1525! Toralf Förster
2014-06-17 16:19 ` Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53A470E1.6090004@gmx.de \
--to=toralf.foerster@gmx.de \
--cc=eparis@redhat.com \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=richard@nod.at \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox