lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHmME9qtH1ywCS+4ebg8myxWsAUbcqG6Rcus+Nt0DBLLaMu4wQ@mail.gmail.com>
Date:   Fri, 1 Dec 2017 16:57:26 +0100
From:   "Jason A. Donenfeld" <Jason@...c4.com>
To:     linux-arm-kernel@...ts.infradead.org,
        LKML <linux-kernel@...r.kernel.org>, stable@...r.kernel.org,
        AKASHI Takahiro <takahiro.akashi@...aro.org>,
        Willy Tarreau <w@....eu>
Subject: Essential get_user fix missing from 3.10 aarch64

Hi stable/arm/Willy,

1f65c13efef69b6dc908e588f91a133641d8475c is an important commit,
because it involves evaluation of pointers from userspace. I'm running
into issues with RNDADDTOENTCNT reading bogus values, because p is
incremented twice as much as it should in this random.c block:

        case RNDADDENTROPY:
               if (!capable(CAP_SYS_ADMIN))
                       return -EPERM;
               if (get_user(ent_count, p++))
                       return -EFAULT;
               if (ent_count < 0)
                       return -EINVAL;
               if (get_user(size, p++))
                       return -EFAULT;
               retval = write_pool(&input_pool, (const char __user *)p,
                                   size);

That seems reasonable, but on aarch64, get_user is defined as:

#define get_user(x, ptr)                                                \
({                                                                      \
       might_sleep();                                                  \
       access_ok(VERIFY_READ, (ptr), sizeof(*(ptr))) ?                 \
               __get_user((x), (ptr)) :                                \
               ((x) = 0, -EFAULT);                                     \
})

Notice the multiple use of ptr.

I thought I had found something breathtakingly bad, until I realized
that it was already fixed in 2013 by Takahiro. It just wasn't marked
for stable.

Not sure if there's ever going to be another stable 3.10 release, but
if so, this would be an important one to backport.

Regards,
Jason

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ