lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 24 Jun 2014 13:53:25 -0700
From:	Andy Lutomirski <luto@...capital.net>
To:	Borislav Petkov <bp@...en8.de>
Cc:	"H. Peter Anvin" <hpa@...or.com>,
	Richard Weinberger <richard@....at>, X86 ML <x86@...nel.org>,
	Eric Paris <eparis@...hat.com>,
	Linux Kernel <linux-kernel@...r.kernel.org>,
	"security@...nel.org" <security@...nel.org>,
	Steven Rostedt <rostedt@...dmis.org>,
	Toralf Förster <toralf.foerster@....de>,
	stable <stable@...r.kernel.org>,
	Roland McGrath <roland@...hat.com>
Subject: Re: [PATCH] x86_32,entry: Do syscall exit work on badsys (CVE-2014-4508)

On Tue, Jun 24, 2014 at 3:51 AM, Borislav Petkov <bp@...en8.de> wrote:
> On Mon, Jun 23, 2014 at 02:22:15PM -0700, Andy Lutomirski wrote:
>> The bad syscall nr paths are their own incomprehensible route
>> through the entry control flow.  Rearrange them to work just like
>> syscalls that return -ENOSYS.
>>
>> This fixes an OOPS in the audit code when fast-path auditing is
>> enabled and sysenter gets a bad syscall nr (CVE-2014-4508).
>>
>> This has probably been broken since Linux 2.6.27:
>> af0575bba0 i386 syscall audit fast-path
>>
>> Cc: stable@...r.kernel.org
>> Cc: Roland McGrath <roland@...hat.com>
>> Reported-by: Toralf Förster <toralf.foerster@....de>
>> Signed-off-by: Andy Lutomirski <luto@...capital.net>
>> ---
>>
>> I realize that the syscall audit fast path and badsys code, on 32-bit
>> x86 no less, is possibly one of the least fun things in the kernel to
>> review, but this is still a real security bug and should get fixed :(
>>
>> So I'm cc-ing a bunch of people and maybe someone will review it.
>
> Well, AFAICS, you're rerouting execution so that the audit stuff gets
> properly "unwound" before returning to userspace. Which makes sense to
> me.
>
> Would it really work in all possible cases and isn't it causing any
> other problems?
>
> No friggin' idea - it would need extensive hammering to confirm it is ok
> IMHO.
>
> HTH.

It confirms my sense that no one knows how to test this stuff :-/
It's pretty clear that no one has ever extensively hammered it.

I wonder how much could be effectively rewritten in C.  I'm thinking
of redoing most of the entry work in C, but that won't help here.

--Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ