Fix local privilege escalation in MSR code (rhbz 908693 908706)
This commit is contained in:
parent
a3dd486e63
commit
e0b1d41f1c
11
kernel.spec
11
kernel.spec
|
@ -54,7 +54,7 @@ Summary: The Linux kernel
|
||||||
# For non-released -rc kernels, this will be appended after the rcX and
|
# For non-released -rc kernels, this will be appended after the rcX and
|
||||||
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
||||||
#
|
#
|
||||||
%global baserelease 6
|
%global baserelease 7
|
||||||
%global fedora_build %{baserelease}
|
%global fedora_build %{baserelease}
|
||||||
|
|
||||||
# base_sublevel is the kernel version we're starting with and patching
|
# base_sublevel is the kernel version we're starting with and patching
|
||||||
|
@ -748,6 +748,9 @@ Patch21245: ext4-set-bg_itable_unused-when-resizing.patch
|
||||||
#rhbz 896051 896038 CVE-2013-0190
|
#rhbz 896051 896038 CVE-2013-0190
|
||||||
Patch21250: xen-fix-stack-corruption-in-xen_failsafe_callback.patch
|
Patch21250: xen-fix-stack-corruption-in-xen_failsafe_callback.patch
|
||||||
|
|
||||||
|
#rhbz 908693 908706
|
||||||
|
Patch21251: x86-msr-Add-capabilities-check.patch
|
||||||
|
|
||||||
# END OF PATCH DEFINITIONS
|
# END OF PATCH DEFINITIONS
|
||||||
|
|
||||||
%endif
|
%endif
|
||||||
|
@ -1415,6 +1418,9 @@ ApplyPatch ext4-set-bg_itable_unused-when-resizing.patch
|
||||||
#rhbz 896051 896038 CVE-2013-0190
|
#rhbz 896051 896038 CVE-2013-0190
|
||||||
ApplyPatch xen-fix-stack-corruption-in-xen_failsafe_callback.patch
|
ApplyPatch xen-fix-stack-corruption-in-xen_failsafe_callback.patch
|
||||||
|
|
||||||
|
#rhbz 908693 908706
|
||||||
|
ApplyPatch x86-msr-Add-capabilities-check.patch
|
||||||
|
|
||||||
# END OF PATCH APPLICATIONS
|
# END OF PATCH APPLICATIONS
|
||||||
|
|
||||||
%endif
|
%endif
|
||||||
|
@ -2115,6 +2121,9 @@ fi
|
||||||
# and build.
|
# and build.
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Feb 07 2013 Josh Boyer <jwboyer@redhat.com>
|
||||||
|
- Fix local privilege escalation in MSR code (rhbz 908693 908706)
|
||||||
|
|
||||||
* Wed Jan 23 2013 Dave Jones <davej@redhat.com>
|
* Wed Jan 23 2013 Dave Jones <davej@redhat.com>
|
||||||
- Remove warning about empty IPI mask.
|
- Remove warning about empty IPI mask.
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,54 @@
|
||||||
|
From b9f93c7550b62939f250fad55b111637b0f66bc8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alan Cox <alan@linux.intel.com>
|
||||||
|
Date: Thu, 15 Nov 2012 13:06:22 +0000
|
||||||
|
Subject: [PATCH] x86/msr: Add capabilities check
|
||||||
|
|
||||||
|
commit c903f0456bc69176912dee6dd25c6a66ee1aed00 upstream.
|
||||||
|
|
||||||
|
At the moment the MSR driver only relies upon file system
|
||||||
|
checks. This means that anything as root with any capability set
|
||||||
|
can write to MSRs. Historically that wasn't very interesting but
|
||||||
|
on modern processors the MSRs are such that writing to them
|
||||||
|
provides several ways to execute arbitary code in kernel space.
|
||||||
|
Sample code and documentation on doing this is circulating and
|
||||||
|
MSR attacks are used on Windows 64bit rootkits already.
|
||||||
|
|
||||||
|
In the Linux case you still need to be able to open the device
|
||||||
|
file so the impact is fairly limited and reduces the security of
|
||||||
|
some capability and security model based systems down towards
|
||||||
|
that of a generic "root owns the box" setup.
|
||||||
|
|
||||||
|
Therefore they should require CAP_SYS_RAWIO to prevent an
|
||||||
|
elevation of capabilities. The impact of this is fairly minimal
|
||||||
|
on most setups because they don't have heavy use of
|
||||||
|
capabilities. Those using SELinux, SMACK or AppArmor rules might
|
||||||
|
want to consider if their rulesets on the MSR driver could be
|
||||||
|
tighter.
|
||||||
|
|
||||||
|
Signed-off-by: Alan Cox <alan@linux.intel.com>
|
||||||
|
Cc: Linus Torvalds <torvalds@linux-foundation.org>
|
||||||
|
Cc: Andrew Morton <akpm@linux-foundation.org>
|
||||||
|
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
|
||||||
|
Signed-off-by: Ingo Molnar <mingo@kernel.org>
|
||||||
|
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||||
|
---
|
||||||
|
arch/x86/kernel/msr.c | 3 +++
|
||||||
|
1 file changed, 3 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
|
||||||
|
index a7c5661..4929502 100644
|
||||||
|
--- a/arch/x86/kernel/msr.c
|
||||||
|
+++ b/arch/x86/kernel/msr.c
|
||||||
|
@@ -174,6 +174,9 @@ static int msr_open(struct inode *inode, struct file *file)
|
||||||
|
unsigned int cpu;
|
||||||
|
struct cpuinfo_x86 *c;
|
||||||
|
|
||||||
|
+ if (!capable(CAP_SYS_RAWIO))
|
||||||
|
+ return -EPERM;
|
||||||
|
+
|
||||||
|
cpu = iminor(file->f_path.dentry->d_inode);
|
||||||
|
if (cpu >= nr_cpu_ids || !cpu_online(cpu))
|
||||||
|
return -ENXIO; /* No such CPU */
|
||||||
|
--
|
||||||
|
1.8.1
|
||||||
|
|
Loading…
Reference in New Issue