Fix local privilege escalation in MSR code (rhbz 908693 908706)

kernel.spec

@@ -54,7 +54,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 6
+%global baserelease 7
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -748,6 +748,9 @@ Patch21245: ext4-set-bg_itable_unused-when-resizing.patch
 #rhbz 896051 896038 CVE-2013-0190
 Patch21250: xen-fix-stack-corruption-in-xen_failsafe_callback.patch
 
+#rhbz 908693 908706
+Patch21251: x86-msr-Add-capabilities-check.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1415,6 +1418,9 @@ ApplyPatch ext4-set-bg_itable_unused-when-resizing.patch
 #rhbz 896051 896038 CVE-2013-0190
 ApplyPatch xen-fix-stack-corruption-in-xen_failsafe_callback.patch
 
+#rhbz 908693 908706
+ApplyPatch x86-msr-Add-capabilities-check.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2115,6 +2121,9 @@ fi
 # and build.
 
 %changelog
+* Thu Feb 07 2013 Josh Boyer <jwboyer@redhat.com>
+- Fix local privilege escalation in MSR code (rhbz 908693 908706)
+
 * Wed Jan 23 2013 Dave Jones <davej@redhat.com>
 - Remove warning about empty IPI mask.
 

x86-msr-Add-capabilities-check.patch

@@ -0,0 +1,54 @@
+From b9f93c7550b62939f250fad55b111637b0f66bc8 Mon Sep 17 00:00:00 2001
+From: Alan Cox <alan@linux.intel.com>
+Date: Thu, 15 Nov 2012 13:06:22 +0000
+Subject: [PATCH] x86/msr: Add capabilities check
+
+commit c903f0456bc69176912dee6dd25c6a66ee1aed00 upstream.
+
+At the moment the MSR driver only relies upon file system
+checks. This means that anything as root with any capability set
+can write to MSRs. Historically that wasn't very interesting but
+on modern processors the MSRs are such that writing to them
+provides several ways to execute arbitary code in kernel space.
+Sample code and documentation on doing this is circulating and
+MSR attacks are used on Windows 64bit rootkits already.
+
+In the Linux case you still need to be able to open the device
+file so the impact is fairly limited and reduces the security of
+some capability and security model based systems down towards
+that of a generic "root owns the box" setup.
+
+Therefore they should require CAP_SYS_RAWIO to prevent an
+elevation of capabilities. The impact of this is fairly minimal
+on most setups because they don't have heavy use of
+capabilities. Those using SELinux, SMACK or AppArmor rules might
+want to consider if their rulesets on the MSR driver could be
+tighter.
+
+Signed-off-by: Alan Cox <alan@linux.intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/msr.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
+index a7c5661..4929502 100644
+--- a/arch/x86/kernel/msr.c
++++ b/arch/x86/kernel/msr.c
+@@ -174,6 +174,9 @@ static int msr_open(struct inode *inode, struct file *file)
+ 	unsigned int cpu;
+ 	struct cpuinfo_x86 *c;
+ 
++	if (!capable(CAP_SYS_RAWIO))
++		return -EPERM;
++
+ 	cpu = iminor(file->f_path.dentry->d_inode);
+ 	if (cpu >= nr_cpu_ids || !cpu_online(cpu))
+ 		return -ENXIO;	/* No such CPU */
+-- 
+1.8.1
+