CVE-2014-0206 aio: insufficient head sanitization in aio_read_events_ring (rhbz 1094602 1112975)
This commit is contained in:
parent
c90b4f95b3
commit
3d7abd60bf
|
@ -0,0 +1,48 @@
|
|||
Bugzilla: 1112975
|
||||
Upstream-status: 3.16 and CC'd to stable
|
||||
|
||||
From f8567a3845ac05bb28f3c1b478ef752762bd39ef Mon Sep 17 00:00:00 2001
|
||||
From: Benjamin LaHaise <bcrl@kvack.org>
|
||||
Date: Tue, 24 Jun 2014 13:12:55 -0400
|
||||
Subject: [PATCH] aio: fix aio request leak when events are reaped by userspace
|
||||
|
||||
The aio cleanups and optimizations by kmo that were merged into the 3.10
|
||||
tree added a regression for userspace event reaping. Specifically, the
|
||||
reference counts are not decremented if the event is reaped in userspace,
|
||||
leading to the application being unable to submit further aio requests.
|
||||
This patch applies to 3.12+. A separate backport is required for 3.10/3.11.
|
||||
This issue was uncovered as part of CVE-2014-0206.
|
||||
|
||||
Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>
|
||||
Cc: stable@vger.kernel.org
|
||||
Cc: Kent Overstreet <kmo@daterainc.com>
|
||||
Cc: Mateusz Guzik <mguzik@redhat.com>
|
||||
Cc: Petr Matousek <pmatouse@redhat.com>
|
||||
---
|
||||
fs/aio.c | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/fs/aio.c b/fs/aio.c
|
||||
index 4f078c054b41..6a9c7e489adf 100644
|
||||
--- a/fs/aio.c
|
||||
+++ b/fs/aio.c
|
||||
@@ -1021,6 +1021,7 @@ void aio_complete(struct kiocb *iocb, long res, long res2)
|
||||
|
||||
/* everything turned out well, dispose of the aiocb. */
|
||||
kiocb_free(iocb);
|
||||
+ put_reqs_available(ctx, 1);
|
||||
|
||||
/*
|
||||
* We have to order our ring_info tail store above and test
|
||||
@@ -1100,8 +1101,6 @@ static long aio_read_events_ring(struct kioctx *ctx,
|
||||
flush_dcache_page(ctx->ring_pages[0]);
|
||||
|
||||
pr_debug("%li h%u t%u\n", ret, head, tail);
|
||||
-
|
||||
- put_reqs_available(ctx, ret);
|
||||
out:
|
||||
mutex_unlock(&ctx->ring_lock);
|
||||
|
||||
--
|
||||
1.9.3
|
||||
|
|
@ -0,0 +1,46 @@
|
|||
Bugzilla: 1112975
|
||||
Upstream-status: 3.16 and CC'd to stable
|
||||
|
||||
From edfbbf388f293d70bf4b7c0bc38774d05e6f711a Mon Sep 17 00:00:00 2001
|
||||
From: Benjamin LaHaise <bcrl@kvack.org>
|
||||
Date: Tue, 24 Jun 2014 13:32:51 -0400
|
||||
Subject: [PATCH] aio: fix kernel memory disclosure in io_getevents()
|
||||
introduced in v3.10
|
||||
|
||||
A kernel memory disclosure was introduced in aio_read_events_ring() in v3.10
|
||||
by commit a31ad380bed817aa25f8830ad23e1a0480fef797. The changes made to
|
||||
aio_read_events_ring() failed to correctly limit the index into
|
||||
ctx->ring_pages[], allowing an attacked to cause the subsequent kmap() of
|
||||
an arbitrary page with a copy_to_user() to copy the contents into userspace.
|
||||
This vulnerability has been assigned CVE-2014-0206. Thanks to Mateusz and
|
||||
Petr for disclosing this issue.
|
||||
|
||||
This patch applies to v3.12+. A separate backport is needed for 3.10/3.11.
|
||||
|
||||
Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>
|
||||
Cc: Mateusz Guzik <mguzik@redhat.com>
|
||||
Cc: Petr Matousek <pmatouse@redhat.com>
|
||||
Cc: Kent Overstreet <kmo@daterainc.com>
|
||||
Cc: Jeff Moyer <jmoyer@redhat.com>
|
||||
Cc: stable@vger.kernel.org
|
||||
---
|
||||
fs/aio.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/fs/aio.c b/fs/aio.c
|
||||
index 6a9c7e489adf..955947ef3e02 100644
|
||||
--- a/fs/aio.c
|
||||
+++ b/fs/aio.c
|
||||
@@ -1063,6 +1063,9 @@ static long aio_read_events_ring(struct kioctx *ctx,
|
||||
if (head == tail)
|
||||
goto out;
|
||||
|
||||
+ head %= ctx->nr_events;
|
||||
+ tail %= ctx->nr_events;
|
||||
+
|
||||
while (ret < nr) {
|
||||
long avail;
|
||||
struct io_event *ev;
|
||||
--
|
||||
1.9.3
|
||||
|
11
kernel.spec
11
kernel.spec
|
@ -741,6 +741,10 @@ Patch25104: intel_pstate-Update-documentation-of-max-min_perf_pct-sysfs-files.pa
|
|||
#CVE-2014-4508 rhbz 1111590 1112073
|
||||
Patch25106: x86_32-entry-Do-syscall-exit-work-on-badsys.patch
|
||||
|
||||
#CVE-2014-0206 rhbz 1094602 1112975
|
||||
Patch25107: aio-fix-kernel-memory-disclosure-in-io_getevents-int.patch
|
||||
Patch25108: aio-fix-aio-request-leak-when-events-are-reaped-by-u.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -1450,6 +1454,10 @@ ApplyPatch intel_pstate-Update-documentation-of-max-min_perf_pct-sysfs-files.pat
|
|||
#CVE-2014-4508 rhbz 1111590 1112073
|
||||
ApplyPatch x86_32-entry-Do-syscall-exit-work-on-badsys.patch
|
||||
|
||||
#CVE-2014-0206 rhbz 1094602 1112975
|
||||
ApplyPatch aio-fix-kernel-memory-disclosure-in-io_getevents-int.patch
|
||||
ApplyPatch aio-fix-aio-request-leak-when-events-are-reaped-by-u.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
@ -2262,6 +2270,9 @@ fi
|
|||
# ||----w |
|
||||
# || ||
|
||||
%changelog
|
||||
* Wed Jun 25 2014 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2014-0206 aio: insufficient head sanitization in aio_read_events_ring (rhbz 1094602 1112975)
|
||||
|
||||
* Mon Jun 23 2014 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2014-4508 BUG in x86_32 syscall auditing (rhbz 1111590 1112073)
|
||||
|
||||
|
|
Loading…
Reference in New Issue