lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Mon, 30 Jun 2014 13:53:17 +0200
From:	Jiri Slaby <>
	Andy Lutomirski <>,
	Roland McGrath <>,
	"H. Peter Anvin" <>, Jiri Slaby <>
Subject: [PATCH 3.12 176/181] x86_32, entry: Do syscall exit work on badsys (CVE-2014-4508)

From: Andy Lutomirski <>

3.12-stable review patch.  If anyone has any objections, please let me know.


commit 554086d85e71f30abe46fc014fea31929a7c6a8a upstream.

The bad syscall nr paths are their own incomprehensible route
through the entry control flow.  Rearrange them to work just like
syscalls that return -ENOSYS.

This fixes an OOPS in the audit code when fast-path auditing is
enabled and sysenter gets a bad syscall nr (CVE-2014-4508).

This has probably been broken since Linux 2.6.27:
af0575bba0 i386 syscall audit fast-path

Cc: Roland McGrath <>
Reported-by: Toralf Förster <>
Signed-off-by: Andy Lutomirski <>
Signed-off-by: H. Peter Anvin <>
Signed-off-by: Jiri Slaby <>
 arch/x86/kernel/entry_32.S | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
index cef8f5132b87..3308125c90aa 100644
--- a/arch/x86/kernel/entry_32.S
+++ b/arch/x86/kernel/entry_32.S
@@ -434,9 +434,10 @@ sysenter_past_esp:
 	jnz sysenter_audit
 	cmpl $(NR_syscalls), %eax
-	jae syscall_badsys
+	jae sysenter_badsys
 	call *sys_call_table(,%eax,4)
 	movl %eax,PT_EAX(%esp)
@@ -686,7 +687,12 @@ END(syscall_fault)
 	movl $-ENOSYS,PT_EAX(%esp)
-	jmp resume_userspace
+	jmp syscall_exit
+	movl $-ENOSYS,PT_EAX(%esp)
+	jmp sysenter_after_call

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
More majordomo info at
Please read the FAQ at

Powered by blists - more mailing lists