[PATCH 3.10 009/104] x86, x32: Correct invalid use of user timespec in the kernel

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, PaX Team <pageexec@freemail.hu>,
	"H. Peter Anvin" <hpa@linux.intel.com>,
	Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 3.10 009/104] x86, x32: Correct invalid use of user timespec in the kernel
Date: Tue,  4 Feb 2014 13:01:12 -0800	[thread overview]
Message-ID: <20140204210223.002349270@linuxfoundation.org> (raw)
In-Reply-To: <20140204210222.731641778@linuxfoundation.org>

3.10-stable review patch.  If anyone has any objections, please let me know.

------------------

From: PaX Team <pageexec@freemail.hu>

commit 2def2ef2ae5f3990aabdbe8a755911902707d268 upstream.

The x32 case for the recvmsg() timout handling is broken:

  asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg,
                                      unsigned int vlen, unsigned int flags,
                                      struct compat_timespec __user *timeout)
  {
          int datagrams;
          struct timespec ktspec;

          if (flags & MSG_CMSG_COMPAT)
                  return -EINVAL;

          if (COMPAT_USE_64BIT_TIME)
                  return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
                                        flags | MSG_CMSG_COMPAT,
                                        (struct timespec *) timeout);
          ...

The timeout pointer parameter is provided by userland (hence the __user
annotation) but for x32 syscalls it's simply cast to a kernel pointer
and is passed to __sys_recvmmsg which will eventually directly
dereference it for both reading and writing.  Other callers to
__sys_recvmmsg properly copy from userland to the kernel first.

The bug was introduced by commit ee4fa23c4bfc ("compat: Use
COMPAT_USE_64BIT_TIME in net/compat.c") and should affect all kernels
since 3.4 (and perhaps vendor kernels if they backported x32 support
along with this code).

Note that CONFIG_X86_X32_ABI gets enabled at build time and only if
CONFIG_X86_X32 is enabled and ld can build x32 executables.

Other uses of COMPAT_USE_64BIT_TIME seem fine.

This addresses CVE-2014-0038.

Signed-off-by: PaX Team <pageexec@freemail.hu>
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/compat.c |    9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

--- a/net/compat.c
+++ b/net/compat.c
@@ -780,21 +780,16 @@ asmlinkage long compat_sys_recvmmsg(int
 	if (flags & MSG_CMSG_COMPAT)
 		return -EINVAL;

-	if (COMPAT_USE_64BIT_TIME)
-		return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
-				      flags | MSG_CMSG_COMPAT,
-				      (struct timespec *) timeout);
-
 	if (timeout == NULL)
 		return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
 				      flags | MSG_CMSG_COMPAT, NULL);

-	if (get_compat_timespec(&ktspec, timeout))
+	if (compat_get_timespec(&ktspec, timeout))
 		return -EFAULT;

 	datagrams = __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
 				   flags | MSG_CMSG_COMPAT, &ktspec);
-	if (datagrams > 0 && put_compat_timespec(&ktspec, timeout))
+	if (datagrams > 0 && compat_put_timespec(&ktspec, timeout))
 		datagrams = -EFAULT;

 	return datagrams;

next prev parent reply	other threads:[~2014-02-04 21:01 UTC|newest]

Thread overview: 103+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-02-04 21:01 [PATCH 3.10 000/104] 3.10.29-stable review Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 002/104] md/raid5: fix long-standing problem with bitmap handling on write failure Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 003/104] drm/nouveau/bios: fix offset calculation for BMPv1 bioses Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 004/104] lib/decompressors: fix "no limit" output buffer length Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 005/104] mm: hugetlbfs: fix hugetlbfs optimization Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 006/104] e752x_edac: Fix pci_dev usage count Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 007/104] e1000e: fix compiler warnings Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 008/104] mm/mempolicy.c: fix mempolicy printing in numa_maps Greg Kroah-Hartman
2014-02-04 21:01 ` Greg Kroah-Hartman [this message]
2014-02-04 21:01 ` [PATCH 3.10 010/104] x86/efi: Fix off-by-one bug in EFI Boot Services reservation Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 011/104] x86: Add check for number of available vectors before CPU down Greg Kroah-Hartman
2014-02-04 22:45   ` Prarit Bhargava
2014-02-04 21:01 ` [PATCH 3.10 012/104] KVM: x86: limit PIT timer frequency Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 014/104] usb: option: add new zte 3g modem pids to option driver Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 016/104] USB: cypress_m8: fix ring-indicator detection and reporting Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 017/104] USB: ftdi_sio: added CS5 quirk for broken smartcard readers Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 018/104] USB: Nokia 502 is an unusual device Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 019/104] usb: xhci: Check for XHCI_PLAT in xhci_cleanup_msix() Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 020/104] USB: fix race between hub_disconnect and recursively_mark_NOTATTACHED Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 021/104] usb: ehci: add freescale imx28 special write register method Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 022/104] rtlwifi: rtl8192cu: Add new device ID Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 023/104] rtlwifi: Update beacon statistics for USB driver Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 024/104] rtlwifi: rtl8192c: Prevent reconnect attempts if not connected Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 025/104] rtlwifi: rtl8192cu: Add new firmware Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 026/104] rtlwifi: Redo register save locations Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 027/104] rtlwifi: Set the link state Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 028/104] rtlwifi: rtl8192c: Add new definitions in the dm_common header Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 029/104] rtlwifi: Increase the RX queue length for USB drivers Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 030/104] rtlwifi: rtl8192c: Add routines to save/restore power index registers Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 031/104] rtlwifi: rtl8192cu: Update the " Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 032/104] rtlwifi: rtl8192cu: Fix some code in RF handling Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 033/104] rtlwifi: Add missing code to PWDB statics routine Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 034/104] rtlwifi: rtl8188ee: Fix typo in code Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 035/104] mwifiex: add missing endian conversion for fw_tsf Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 036/104] mwifiex: fix wrong 11ac bits setting in fw_cap_info Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 037/104] iwlwifi: mvm: fix missing cleanup in .start() error path Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 038/104] b43: Fix lockdep splat Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 039/104] b43: Fix unload oops if firmware is not available Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 040/104] b43legacy: " Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 041/104] b43: fix the wrong assignment of status.freq in b43_rx() Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 042/104] staging: r8712u: Set device type to wlan Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 043/104] staging: vt6656: [BUG] BBvUpdatePreEDThreshold Always set sensitivity on bScanning Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 044/104] staging: vt6656: CARDqGetNextTBTT correct uLowNextTBTT Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 045/104] tty/serial: at91: Handle shutdown more safely Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 046/104] ARM: at91: smc: bug fix in sam9_smc_cs_read() Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 047/104] hwmon: (k10temp) Add support for Kaveri CPUs Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 048/104] serial: add support for 200 v3 series Titan card Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 049/104] serial: 8250: Fix initialisation of Quatech cards with the AMCC PCI chip Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 050/104] serial: 8250: enable UART_BUG_NOMSR for Tegra Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 051/104] KVM: s390: fix diagnose code extraction Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 052/104] s390/uapi: fix struct statfs64 definition Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 053/104] parport: parport_pc: remove double PCI ID for NetMos Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 054/104] rtc-cmos: Add an alarm disable quirk Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 055/104] rtc: max8907: weekday encoding fixes Greg Kroah-Hartman
2014-02-04 21:01 ` [PATCH 3.10 056/104] pinctrl: sunxi: Honor GPIO output initial vaules Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 057/104] perf kvm: Fix kvm report without guestmount Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 058/104] mfd: max77686: Fix regmap resource leak on driver remove Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 059/104] ASoC: adau1701: Fix ADAU1701_SEROCTL_WORD_LEN_16 constant Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 060/104] ASoC: wm5110: Extend SYSCLK patch file for rev D Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 061/104] ALSA: rme9652: fix a missing comma in channel_map_9636_ds[] Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 062/104] ALSA: hda - Dont create duplicated ctls for loopback paths Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 063/104] ALSA: Enable CONFIG_ZONE_DMA for smaller PCI DMA masks Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 065/104] tpm/tpm_i2c_stm_st33: Check return code of get_burstcount Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 066/104] tpm/tpm_ppi: Do not compare strcmp(a,b) == -1 Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 067/104] ata: sata_mv: introduce compatible string "marvell, armada-370-sata" Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 068/104] ata: sata_mv: fix disk hotplug for Armada 370/XP SoCs Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 069/104] libata: disable LPM for some WD SATA-I devices Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 070/104] ext4: avoid clearing beyond i_blocks when truncating an inline data file Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 071/104] vfs: Is mounted should be testing mnt_ns for NULL or error Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 072/104] bcache: Data corruption fix Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 074/104] bnx2x: fix DMA unmapping of TSO split BDs Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 075/104] inet_diag: fix inet_diag_dump_icsk() timewait socket state logic Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 076/104] ieee802154: Fix memory leak in ieee802154_add_iface() Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 077/104] net: avoid reference counter overflows on fib_rules in multicast forwarding Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 078/104] net,via-rhine: Fix tx_timeout handling Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 079/104] net: rds: fix per-cpu helper usage Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 080/104] tcp: metrics: Avoid duplicate entries with the same destination-IP Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 081/104] bpf: do not use reciprocal divide Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 082/104] s390/bpf,jit: fix 32 bit divisions, use unsigned divide instructions Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 083/104] ip_tunnel: clear IPCB in ip_tunnel_xmit() in case dst_link_failure() is called Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 084/104] fib_frontend: fix possible NULL pointer dereference Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 085/104] net: Fix memory leak if TPROXY used with TCP early demux Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 086/104] xen-netfront: fix resource leak in netfront Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 087/104] sit: fix double free of fb_tunnel_dev on exit Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 088/104] Revert "ip6tnl: fix use after free of fb_tnl_dev" Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 089/104] ip6tnl: fix double free of fb_tnl_dev on exit Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 090/104] iwlwifi: pcie: enable oscillator for L1 exit Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 091/104] parisc: fix cache-flushing Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 092/104] KVM: PPC: Book3S HV: use xics_wake_cpu only when defined Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 093/104] KVM: PPC: e500: Fix bad address type in deliver_tlb_misss() Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 094/104] ALSA: hda - hdmi: introduce patch_nvhdmi() Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 095/104] ALSA: hda/hdmi - allow PIN_OUT to be dynamically enabled Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 096/104] iwlwifi: pcie: fix interrupt coalescing for 7260 / 3160 Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 097/104] usb: core: get config and string descriptors for unauthorized devices Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 098/104] SCSI: bfa: Chinook quad port 16G FC HBA claim issue Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 099/104] virtio-scsi: Fix hotcpu_notifier use-after-free with virtscsi_freeze Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 100/104] target/iscsi: Fix network portal creation race Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 101/104] Btrfs: handle EAGAIN case properly in btrfs_drop_snapshot() Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 102/104] btrfs: restrict snapshotting to own subvolumes Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 103/104] powerpc: Fix the setup of CPU-to-Node mappings during CPU online Greg Kroah-Hartman
2014-02-04 21:02 ` [PATCH 3.10 104/104] powerpc: Make sure "cache" directory is removed when offlining cpu Greg Kroah-Hartman
2014-02-05  6:38 ` [PATCH 3.10 000/104] 3.10.29-stable review Guenter Roeck
2014-02-05 20:40 ` Shuah Khan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140204210223.002349270@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=hpa@linux.intel.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=pageexec@freemail.hu \
    --cc=stable@vger.kernel.org \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).