[x86] x86_32, entry: Do syscall exit work on badsys (CVE-2014-4508)
svn path=/dists/sid/linux/; revision=21477
This commit is contained in:
parent
7948accb8e
commit
194b7a793f
|
@ -53,6 +53,7 @@ linux (3.14.9-1) UNRELEASED; urgency=medium
|
|||
- bugfix, handling an error in opening a FIFO
|
||||
- propagate aufs file references to new vmas created by remap_file_pages()
|
||||
* linux-image: Make initramfs support unconditional
|
||||
* [x86] x86_32, entry: Do syscall exit work on badsys (CVE-2014-4508)
|
||||
|
||||
[ Aurelien Jarno ]
|
||||
* [arm64] Enable COMPAT to support 32-bit binaries.
|
||||
|
|
56
debian/patches/bugfix/x86/x86_32-entry-Do-syscall-exit-work-on-badsys-CVE-2014.patch
vendored
Normal file
56
debian/patches/bugfix/x86/x86_32-entry-Do-syscall-exit-work-on-badsys-CVE-2014.patch
vendored
Normal file
|
@ -0,0 +1,56 @@
|
|||
From: Andy Lutomirski <luto@amacapital.net>
|
||||
Date: Mon, 23 Jun 2014 14:22:15 -0700
|
||||
Subject: x86_32, entry: Do syscall exit work on badsys (CVE-2014-4508)
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
Origin: https://git.kernel.org/linus/554086d85e71f30abe46fc014fea31929a7c6a8a
|
||||
|
||||
The bad syscall nr paths are their own incomprehensible route
|
||||
through the entry control flow. Rearrange them to work just like
|
||||
syscalls that return -ENOSYS.
|
||||
|
||||
This fixes an OOPS in the audit code when fast-path auditing is
|
||||
enabled and sysenter gets a bad syscall nr (CVE-2014-4508).
|
||||
|
||||
This has probably been broken since Linux 2.6.27:
|
||||
af0575bba0 i386 syscall audit fast-path
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Cc: Roland McGrath <roland@redhat.com>
|
||||
Reported-by: Toralf Förster <toralf.foerster@gmx.de>
|
||||
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
|
||||
Link: http://lkml.kernel.org/r/e09c499eade6fc321266dd6b54da7beb28d6991c.1403558229.git.luto@amacapital.net
|
||||
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
|
||||
---
|
||||
arch/x86/kernel/entry_32.S | 10 ++++++++--
|
||||
1 file changed, 8 insertions(+), 2 deletions(-)
|
||||
|
||||
--- a/arch/x86/kernel/entry_32.S
|
||||
+++ b/arch/x86/kernel/entry_32.S
|
||||
@@ -431,9 +431,10 @@ sysenter_past_esp:
|
||||
jnz sysenter_audit
|
||||
sysenter_do_call:
|
||||
cmpl $(NR_syscalls), %eax
|
||||
- jae syscall_badsys
|
||||
+ jae sysenter_badsys
|
||||
call *sys_call_table(,%eax,4)
|
||||
movl %eax,PT_EAX(%esp)
|
||||
+sysenter_after_call:
|
||||
LOCKDEP_SYS_EXIT
|
||||
DISABLE_INTERRUPTS(CLBR_ANY)
|
||||
TRACE_IRQS_OFF
|
||||
@@ -688,7 +689,12 @@ END(syscall_fault)
|
||||
|
||||
syscall_badsys:
|
||||
movl $-ENOSYS,PT_EAX(%esp)
|
||||
- jmp resume_userspace
|
||||
+ jmp syscall_exit
|
||||
+END(syscall_badsys)
|
||||
+
|
||||
+sysenter_badsys:
|
||||
+ movl $-ENOSYS,PT_EAX(%esp)
|
||||
+ jmp sysenter_after_call
|
||||
END(syscall_badsys)
|
||||
CFI_ENDPROC
|
||||
/*
|
|
@ -92,3 +92,4 @@ debian/dma-avoid-abi-change-in-3.14.6.patch
|
|||
debian/vfs-avoid-abi-change-for-cve-2014-4014.patch
|
||||
bugfix/all/SCSI-Fix-spurious-request-sense-in-error-handling.patch
|
||||
debian/alsa-avoid-abi-change-for-cve-2014-4652-fix.patch
|
||||
bugfix/x86/x86_32-entry-Do-syscall-exit-work-on-badsys-CVE-2014.patch
|
||||
|
|
Loading…
Reference in New Issue