From 243c2fd97b5cfd484f805ddd0aad8c8ccdec6920 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 12 Mar 2013 08:51:34 -0400 Subject: [PATCH] CVE-2013-0914 sa_restorer information leak (rhbz 920499 920510) --- kernel.spec | 9 ++ ...l-always-clear-sa_restorer-on-execve.patch | 113 ++++++++++++++++++ 2 files changed, 122 insertions(+) create mode 100644 signal-always-clear-sa_restorer-on-execve.patch diff --git a/kernel.spec b/kernel.spec index 2258d3b07..2e020c01b 100644 --- a/kernel.spec +++ b/kernel.spec @@ -742,6 +742,9 @@ Patch21268: w1-fix-oops-when-w1_search-is-called-from.patch #rhbz 911771 Patch21269: serial-8250-Keep-8250.-xxxx-module-options-functiona.patch +#CVE-2013-0914 rhbz 920499 920510 +Patch21270: signal-always-clear-sa_restorer-on-execve.patch + Patch22000: weird-root-dentry-name-debug.patch #selinux ptrace child permissions @@ -1442,6 +1445,9 @@ ApplyPatch w1-fix-oops-when-w1_search-is-called-from.patch #rhbz 911771 ApplyPatch serial-8250-Keep-8250.-xxxx-module-options-functiona.patch +#CVE-2013-0914 rhbz 920499 920510 +ApplyPatch signal-always-clear-sa_restorer-on-execve.patch + # END OF PATCH APPLICATIONS %endif @@ -2274,6 +2280,9 @@ fi # and build. %changelog +* Tue Mar 12 2013 Josh Boyer +- CVE-2013-0914 sa_restorer information leak (rhbz 920499 920510) + * Tue Mar 12 2013 Dave Airlie - add QXL driver (f19 only) diff --git a/signal-always-clear-sa_restorer-on-execve.patch b/signal-always-clear-sa_restorer-on-execve.patch new file mode 100644 index 000000000..feb005c44 --- /dev/null +++ b/signal-always-clear-sa_restorer-on-execve.patch @@ -0,0 +1,113 @@ + +Delivered-To: jwboyer@gmail.com +Received: by 10.76.169.233 with SMTP id ah9csp99159oac; + Mon, 11 Mar 2013 13:14:17 -0700 (PDT) +X-Received: by 10.68.179.1 with SMTP id dc1mr24297029pbc.128.1363032856671; + Mon, 11 Mar 2013 13:14:16 -0700 (PDT) +Return-Path: +Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) + by mx.google.com with ESMTP id tx10si24737165pbc.272.2013.03.11.13.14.10; + Mon, 11 Mar 2013 13:14:16 -0700 (PDT) +Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; +Authentication-Results: mx.google.com; + spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1754069Ab3CKUN4 (ORCPT + 99 others); + Mon, 11 Mar 2013 16:13:56 -0400 +Received: from smtp.outflux.net ([198.145.64.163]:59839 "EHLO smtp.outflux.net" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1753913Ab3CKUN4 (ORCPT ); + Mon, 11 Mar 2013 16:13:56 -0400 +Received: from www.outflux.net (serenity-end.outflux.net [10.2.0.2]) + by vinyl.outflux.net (8.14.4/8.14.4/Debian-2ubuntu2) with ESMTP id r2BKDgjn022201; + Mon, 11 Mar 2013 13:13:43 -0700 +Date: Mon, 11 Mar 2013 13:13:42 -0700 +From: Kees Cook +To: linux-kernel@vger.kernel.org +Cc: Al Viro , Oleg Nesterov , + Andrew Morton , + "Eric W. Biederman" , + Serge Hallyn , + Emese Revfy , + PaX Team , jln@google.com +Subject: [PATCH v2] signal: always clear sa_restorer on execve +Message-ID: <20130311201342.GA19824@www.outflux.net> +MIME-Version: 1.0 +Content-Type: text/plain; charset=us-ascii +Content-Disposition: inline +X-MIMEDefang-Filter: outflux$Revision: 1.316 $ +X-HELO: www.outflux.net +X-Scanned-By: MIMEDefang 2.71 on 10.2.0.1 +Sender: linux-kernel-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: linux-kernel@vger.kernel.org + +When the new signal handlers are set up, the location of sa_restorer +is not cleared, leaking a parent process's address space location to +children. This allows for a potential bypass of the parent's ASLR by +examining the sa_restorer value returned when calling sigaction(). + +Based on what should be considered "secret" about addresses, it only +matters across the exec not the fork (since the VMAs haven't changed +until the exec). But since exec sets SIG_DFL and keeps sa_restorer, +this is where it should be fixed. + +Given the few uses of sa_restorer, a "set" function was not written +since this would be the only use. Instead, we use __ARCH_HAS_SA_RESTORER, +as already done in other places. + +Example of the leak before applying this patch: + +$ cat /proc/$$/maps +... +7fb9f3083000-7fb9f3238000 r-xp 00000000 fd:01 404469 .../libc-2.15.so +... +$ ./leak +... +7f278bc74000-7f278be29000 r-xp 00000000 fd:01 404469 .../libc-2.15.so +... +1 0 (nil) 0x7fb9f30b94a0 +2 4000000 (nil) 0x7f278bcaa4a0 +3 4000000 (nil) 0x7f278bcaa4a0 +4 0 (nil) 0x7fb9f30b94a0 +... + +Signed-off-by: Kees Cook +Reported-by: Emese Revfy +Cc: Emese Revfy +Cc: PaX Team +Cc: stable@vger.kernel.org +--- +v2: + - clarify commit, explain use of #ifdef. +--- + kernel/signal.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/signal.c b/kernel/signal.c +index 2ec870a..8c8e3ca 100644 +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -485,6 +485,9 @@ flush_signal_handlers(struct task_struct *t, int force_default) + if (force_default || ka->sa.sa_handler != SIG_IGN) + ka->sa.sa_handler = SIG_DFL; + ka->sa.sa_flags = 0; ++#ifdef __ARCH_HAS_SA_RESTORER ++ ka->sa.sa_restorer = NULL; ++#endif + sigemptyset(&ka->sa.sa_mask); + ka++; + } +-- +1.7.9.5 + + +-- +Kees Cook +Chrome OS Security +-- +To unsubscribe from this list: send the line "unsubscribe linux-kernel" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html +Please read the FAQ at http://www.tux.org/lkml/