CVE-2014-7843 aarch64: copying from /dev/zero causes local DoS (rhbz 1163744 1163745)
This commit is contained in:
Josh Boyer
parent
e5391d4a0a
commit
273eeba034
|
|
@ -0,0 +1,59 @@
|
|||
From 98e676789aa06582cb0d0f7758e77864b38c12a7 Mon Sep 17 00:00:00 2001
|
||||
From: Kyle McMartin <kyle@redhat.com>
|
||||
Date: Wed, 12 Nov 2014 16:07:44 -0500
|
||||
Subject: [PATCH] arm64: __clear_user: handle exceptions on strb
|
||||
|
||||
ARM64 currently doesn't fix up faults on the single-byte (strb) case of
|
||||
__clear_user... which means that we can cause a nasty kernel panic as an
|
||||
ordinary user with any multiple PAGE_SIZE+1 read from /dev/zero.
|
||||
i.e.: dd if=/dev/zero of=foo ibs=1 count=1 (or ibs=65537, etc.)
|
||||
|
||||
This is a pretty obscure bug in the general case since we'll only
|
||||
__do_kernel_fault (since there's no extable entry for pc) if the
|
||||
mmap_sem is contended. However, with CONFIG_DEBUG_VM enabled, we'll
|
||||
always fault.
|
||||
|
||||
if (!down_read_trylock(&mm->mmap_sem)) {
|
||||
if (!user_mode(regs) && !search_exception_tables(regs->pc))
|
||||
goto no_context;
|
||||
retry:
|
||||
down_read(&mm->mmap_sem);
|
||||
} else {
|
||||
/*
|
||||
* The above down_read_trylock() might have succeeded in
|
||||
* which
|
||||
* case, we'll have missed the might_sleep() from
|
||||
* down_read().
|
||||
*/
|
||||
might_sleep();
|
||||
#ifdef CONFIG_DEBUG_VM
|
||||
if (!user_mode(regs) && !search_exception_tables(regs->pc))
|
||||
goto no_context;
|
||||
#endif
|
||||
}
|
||||
|
||||
Fix that by adding an extable entry for the strb instruction, since it
|
||||
touches user memory, similar to the other stores in __clear_user.
|
||||
|
||||
Signed-off-by: Kyle McMartin <kyle@redhat.com>
|
||||
Cc: stable@vger.kernel.org
|
||||
---
|
||||
arch/arm64/lib/clear_user.S | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/arch/arm64/lib/clear_user.S b/arch/arm64/lib/clear_user.S
|
||||
index 6e0ed93d51fe..c17967fdf5f6 100644
|
||||
--- a/arch/arm64/lib/clear_user.S
|
||||
+++ b/arch/arm64/lib/clear_user.S
|
||||
@@ -46,7 +46,7 @@ USER(9f, strh wzr, [x0], #2 )
|
||||
sub x1, x1, #2
|
||||
4: adds x1, x1, #1
|
||||
b.mi 5f
|
||||
- strb wzr, [x0]
|
||||
+USER(9f, strb wzr, [x0] )
|
||||
5: mov x0, #0
|
||||
ret
|
||||
ENDPROC(__clear_user)
|
||||
--
|
||||
1.9.3
|
||||
|
||||
|
|
@ -812,6 +812,9 @@ Patch26067: net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch
|
|||
#CVE-2014-7842 rhbz 1163762 1163767
|
||||
Patch26068: KVM-x86-Don-t-report-guest-userspace-emulation-error.patch
|
||||
|
||||
#CVE-2014-7843 rhbz 1163744 1163745
|
||||
Patch26069: arm64-__clear_user-handle-exceptions-on-strb.patch
|
||||
|
||||
# git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
|
||||
Patch30000: kernel-arm64.patch
|
||||
|
||||
|
|
@ -1595,6 +1598,9 @@ ApplyPatch net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch
|
|||
#CVE-2014-7842 rhbz 1163762 1163767
|
||||
ApplyPatch KVM-x86-Don-t-report-guest-userspace-emulation-error.patch
|
||||
|
||||
#CVE-2014-7843 rhbz 1163744 1163745
|
||||
ApplyPatch arm64-__clear_user-handle-exceptions-on-strb.patch
|
||||
|
||||
%if 0%{?aarch64patches}
|
||||
ApplyPatch kernel-arm64.patch
|
||||
%ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
|
||||
|
|
@ -2414,6 +2420,7 @@ fi
|
|||
# || ||
|
||||
%changelog
|
||||
* Thu Nov 13 2014 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2014-7843 aarch64: copying from /dev/zero causes local DoS (rhbz 1163744 1163745)
|
||||
- CVE-2014-7842 kvm: reporting emulation failures to userspace (rhbz 1163762 1163767)
|
||||
|
||||
* Wed Nov 12 2014 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
|
|
|
|||
Loading…
Reference in New Issue