| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <53A470E1.6090004@gmx.de> Date: Fri, 20 Jun 2014 19:35:29 +0200 From: Toralf Förster <toralf.foerster@....de> To: Andy Lutomirski <luto@...capital.net>, "H. Peter Anvin" <hpa@...or.com> CC: Richard Weinberger <richard@....at>, X86 ML <x86@...nel.org>, Eric Paris <eparis@...hat.com>, Linux Kernel <linux-kernel@...r.kernel.org> Subject: Re: 3.15: kernel BUG at kernel/auditsc.c:1525! On 06/20/2014 05:41 PM, Andy Lutomirski wrote: > On Mon, Jun 16, 2014 at 2:48 PM, H. Peter Anvin <hpa@...or.com> wrote: >> On 06/16/2014 02:35 PM, Andy Lutomirski wrote: >>> >>> To hpa, etc: It appears that entry_32.S is missing any call to the >>> audit exit hook on the badsys path. If I'm diagnosing this bug report >>> correctly, this causes OOPSes. >>> >>> The the world at large: it's increasingly apparent that no one (except >>> maybe the blackhats) has ever scrutinized the syscall auditing code. >>> This is two old severe bugs in the code that have probably been there >>> for a long time. >>> >> >> Yes, the audit code is a total mess. >> >>> The bad syscall nr paths are their own incomprehensible route >>> through the entry control flow. Rearrange them to work just like >>> syscalls that return -ENOSYS. >> >> I have to admit... it sort of lends itself to a solution like this: >> >> /* For the 64-bit case, analogous code for 32 bits */ >> movl $__NR_syscall_max+1,%ecx # *Not* __NR_syscall_max >> cmpq %rcx,%rax >> cmovae %rcx,%rax >> movq %r10,%rcx >> call *sys_call_table(,%rax,8) >> >> ... and having an extra (invalid) system call slot in the syscall table >> beyond the end instead of branching off separately. >> >> (Note: we could use either cmova or cmovae, and either the 32- or 64-bit >> form... the reason why is left as an exercise to the reader.) > > This is CVE-2014-4508, and it's probably worth fixing. > > Is my patch good? I can resent and cc stable if needed. > > --Andy > I'm running my system since the time you sent it to me w/o any problems with that patch on top of 3.15.1 : tfoerste@n22 ~/devel/linux $ cat ~/devel/priv/0001-x86_32-entry-Fix-badsys-paths.patch >From 8b43bd2118d876cb3163e8f7d9cd8253da649335 Mon Sep 17 00:00:00 2001 Message-Id: <8b43bd2118d876cb3163e8f7d9cd8253da649335.1402954406.git.luto@...capital.net> From: Andy Lutomirski <luto@...capital.net> Date: Mon, 16 Jun 2014 14:28:19 -0700 Subject: [PATCH] x86_32,entry: Fix badsys paths MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The bad syscall nr paths are their own incomprehensible route through the entry control flow. Rearrange them to work just like syscalls that return -ENOSYS. This should fix an OOPS in the audit code when auditing is enabled and bad syscall nrs are used. Reported-by: Toralf Förster <toralf.foerster@....de> Signed-off-by: Andy Lutomirski <luto@...capital.net> --- -- Toralf -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists