From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, PaX Team <pageexec@freemail.hu>,
"H. Peter Anvin" <hpa@linux.intel.com>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 3.4 04/37] x86, x32: Correct invalid use of user timespec in the kernel
Date: Tue, 4 Feb 2014 13:00:40 -0800 [thread overview]
Message-ID: <20140204210056.132380353@linuxfoundation.org> (raw)
In-Reply-To: <20140204210055.992134150@linuxfoundation.org>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: PaX Team <pageexec@freemail.hu>
commit 2def2ef2ae5f3990aabdbe8a755911902707d268 upstream.
The x32 case for the recvmsg() timout handling is broken:
asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg,
unsigned int vlen, unsigned int flags,
struct compat_timespec __user *timeout)
{
int datagrams;
struct timespec ktspec;
if (flags & MSG_CMSG_COMPAT)
return -EINVAL;
if (COMPAT_USE_64BIT_TIME)
return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
flags | MSG_CMSG_COMPAT,
(struct timespec *) timeout);
...
The timeout pointer parameter is provided by userland (hence the __user
annotation) but for x32 syscalls it's simply cast to a kernel pointer
and is passed to __sys_recvmmsg which will eventually directly
dereference it for both reading and writing. Other callers to
__sys_recvmmsg properly copy from userland to the kernel first.
The bug was introduced by commit ee4fa23c4bfc ("compat: Use
COMPAT_USE_64BIT_TIME in net/compat.c") and should affect all kernels
since 3.4 (and perhaps vendor kernels if they backported x32 support
along with this code).
Note that CONFIG_X86_X32_ABI gets enabled at build time and only if
CONFIG_X86_X32 is enabled and ld can build x32 executables.
Other uses of COMPAT_USE_64BIT_TIME seem fine.
This addresses CVE-2014-0038.
Signed-off-by: PaX Team <pageexec@freemail.hu>
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/compat.c | 9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)
--- a/net/compat.c
+++ b/net/compat.c
@@ -789,21 +789,16 @@ asmlinkage long compat_sys_recvmmsg(int
if (flags & MSG_CMSG_COMPAT)
return -EINVAL;
- if (COMPAT_USE_64BIT_TIME)
- return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
- flags | MSG_CMSG_COMPAT,
- (struct timespec *) timeout);
-
if (timeout == NULL)
return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
flags | MSG_CMSG_COMPAT, NULL);
- if (get_compat_timespec(&ktspec, timeout))
+ if (compat_get_timespec(&ktspec, timeout))
return -EFAULT;
datagrams = __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
flags | MSG_CMSG_COMPAT, &ktspec);
- if (datagrams > 0 && put_compat_timespec(&ktspec, timeout))
+ if (datagrams > 0 && compat_put_timespec(&ktspec, timeout))
datagrams = -EFAULT;
return datagrams;
next prev parent reply other threads:[~2014-02-04 21:00 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-04 21:00 [PATCH 3.4 00/37] 3.4.79-stable review Greg Kroah-Hartman
2014-02-04 21:00 ` [PATCH 3.4 01/37] md/raid5: fix long-standing problem with bitmap handling on write failure Greg Kroah-Hartman
2014-02-04 21:00 ` [PATCH 3.4 02/37] mm: hugetlbfs: fix hugetlbfs optimization Greg Kroah-Hartman
2014-02-04 21:00 ` [PATCH 3.4 03/37] e752x_edac: Fix pci_dev usage count Greg Kroah-Hartman
2014-02-04 21:00 ` Greg Kroah-Hartman [this message]
2014-02-04 21:00 ` [PATCH 3.4 05/37] usb: option: add new zte 3g modem pids to option driver Greg Kroah-Hartman
2014-02-04 21:00 ` [PATCH 3.4 07/37] USB: cypress_m8: fix ring-indicator detection and reporting Greg Kroah-Hartman
2014-02-04 21:00 ` [PATCH 3.4 08/37] USB: Nokia 502 is an unusual device Greg Kroah-Hartman
2014-02-04 21:00 ` [PATCH 3.4 09/37] usb: xhci: Check for XHCI_PLAT in xhci_cleanup_msix() Greg Kroah-Hartman
2014-02-04 21:00 ` [PATCH 3.4 10/37] rtlwifi: rtl8192cu: Add new device ID Greg Kroah-Hartman
2014-02-04 21:00 ` [PATCH 3.4 11/37] rtlwifi: Set the link state Greg Kroah-Hartman
2014-02-04 21:00 ` [PATCH 3.4 12/37] rtlwifi: rtl8192cu: Fix some code in RF handling Greg Kroah-Hartman
2014-02-04 21:00 ` [PATCH 3.4 13/37] b43: Fix lockdep splat Greg Kroah-Hartman
2014-02-04 21:00 ` [PATCH 3.4 14/37] b43: Fix unload oops if firmware is not available Greg Kroah-Hartman
2014-02-04 21:00 ` [PATCH 3.4 15/37] b43legacy: " Greg Kroah-Hartman
2014-02-04 21:00 ` [PATCH 3.4 16/37] b43: fix the wrong assignment of status.freq in b43_rx() Greg Kroah-Hartman
2014-02-04 21:00 ` [PATCH 3.4 17/37] staging: r8712u: Set device type to wlan Greg Kroah-Hartman
2014-02-04 21:00 ` [PATCH 3.4 18/37] staging: vt6656: [BUG] BBvUpdatePreEDThreshold Always set sensitivity on bScanning Greg Kroah-Hartman
2014-02-04 21:00 ` [PATCH 3.4 19/37] tty/serial: at91: Handle shutdown more safely Greg Kroah-Hartman
2014-02-04 21:00 ` [PATCH 3.4 20/37] ARM: at91: smc: bug fix in sam9_smc_cs_read() Greg Kroah-Hartman
2014-02-04 21:00 ` [PATCH 3.4 21/37] serial: add support for 200 v3 series Titan card Greg Kroah-Hartman
2014-02-04 21:00 ` [PATCH 3.4 22/37] parport: parport_pc: remove double PCI ID for NetMos Greg Kroah-Hartman
2014-02-04 21:00 ` [PATCH 3.4 23/37] rtc-cmos: Add an alarm disable quirk Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.4 24/37] ASoC: adau1701: Fix ADAU1701_SEROCTL_WORD_LEN_16 constant Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.4 25/37] ALSA: rme9652: fix a missing comma in channel_map_9636_ds[] Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.4 26/37] ALSA: Enable CONFIG_ZONE_DMA for smaller PCI DMA masks Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.4 28/37] bnx2x: fix DMA unmapping of TSO split BDs Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.4 29/37] inet_diag: fix inet_diag_dump_icsk() timewait socket state logic Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.4 30/37] net: avoid reference counter overflows on fib_rules in multicast forwarding Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.4 31/37] net,via-rhine: Fix tx_timeout handling Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.4 32/37] KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367) Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.4 33/37] usb: core: get config and string descriptors for unauthorized devices Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.4 34/37] SCSI: bfa: Chinook quad port 16G FC HBA claim issue Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.4 35/37] target/iscsi: Fix network portal creation race Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.4 36/37] Btrfs: handle EAGAIN case properly in btrfs_drop_snapshot() Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.4 37/37] powerpc: Make sure "cache" directory is removed when offlining cpu Greg Kroah-Hartman
2014-02-04 21:52 ` [PATCH 3.4 00/37] 3.4.79-stable review Guillaume Morin
2014-02-04 22:11 ` Greg Kroah-Hartman
2014-02-04 22:22 ` Guillaume Morin
2014-02-04 22:31 ` Greg Kroah-Hartman
2014-02-04 22:48 ` John Stultz
2014-02-04 23:35 ` Greg Kroah-Hartman
2014-02-05 6:36 ` Guenter Roeck
2014-02-05 20:38 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140204210056.132380353@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=hpa@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pageexec@freemail.hu \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).