3.10-stable patches

author Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Sat, 28 Jun 2014 16:36:45 +0000 (12:36 -0400)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Sat, 28 Jun 2014 16:36:45 +0000 (12:36 -0400)
author Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Sat, 28 Jun 2014 16:36:45 +0000 (12:36 -0400)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Sat, 28 Jun 2014 16:36:45 +0000 (12:36 -0400)
diff --git a/queue-3.10/series b/queue-3.10/series

index 5769c245c9b655e3293421dab57336d276bd940b..3d529ba9a2db321cdf4bb26837f8fb885a8ba06c 100644 (file)
--- a/queue-3.10/series
+++ b/queue-3.10/series
@@ -74,3 +74,4 @@ btrfs-fix-use-of-uninit-ret-in-end_extent_writepage.patch
  usb-usbtest-add-timetout-to-simple_io.patch
  target-iser-improve-cm-events-handling.patch
  target-iser-wait-for-proper-cleanup-before-unloading.patch
+x86_32-entry-do-syscall-exit-work-on-badsys-cve-2014-4508.patch
diff --git a/queue-3.10/x86_32-entry-do-syscall-exit-work-on-badsys-cve-2014-4508.patch b/queue-3.10/x86_32-entry-do-syscall-exit-work-on-badsys-cve-2014-4508.patch

new file mode 100644 (file)

index 0000000..8e31dc1
--- /dev/null
+++ b/queue-3.10/x86_32-entry-do-syscall-exit-work-on-badsys-cve-2014-4508.patch
@@ -0,0 +1,61 @@
+From 554086d85e71f30abe46fc014fea31929a7c6a8a Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@amacapital.net>
+Date: Mon, 23 Jun 2014 14:22:15 -0700
+Subject: x86_32, entry: Do syscall exit work on badsys (CVE-2014-4508)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Andy Lutomirski <luto@amacapital.net>
+
+commit 554086d85e71f30abe46fc014fea31929a7c6a8a upstream.
+
+The bad syscall nr paths are their own incomprehensible route
+through the entry control flow.  Rearrange them to work just like
+syscalls that return -ENOSYS.
+
+This fixes an OOPS in the audit code when fast-path auditing is
+enabled and sysenter gets a bad syscall nr (CVE-2014-4508).
+
+This has probably been broken since Linux 2.6.27:
+af0575bba0 i386 syscall audit fast-path
+
+Cc: Roland McGrath <roland@redhat.com>
+Reported-by: Toralf Förster <toralf.foerster@gmx.de>
+Signed-off-by: Andy Lutomirski <luto@amacapital.net>
+Link: http://lkml.kernel.org/r/e09c499eade6fc321266dd6b54da7beb28d6991c.1403558229.git.luto@amacapital.net
+Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/entry_32.S |   10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/entry_32.S
++++ b/arch/x86/kernel/entry_32.S
+@@ -434,9 +434,10 @@ sysenter_past_esp:
+       jnz sysenter_audit
+ sysenter_do_call:
+       cmpl $(NR_syscalls), %eax
+-      jae syscall_badsys
++      jae sysenter_badsys
+       call *sys_call_table(,%eax,4)
+       movl %eax,PT_EAX(%esp)
++sysenter_after_call:
+       LOCKDEP_SYS_EXIT
+       DISABLE_INTERRUPTS(CLBR_ANY)
+       TRACE_IRQS_OFF
+@@ -686,7 +687,12 @@ END(syscall_fault)
+ 
+ syscall_badsys:
+       movl $-ENOSYS,PT_EAX(%esp)
+-      jmp resume_userspace
++      jmp syscall_exit
++END(syscall_badsys)
++
++sysenter_badsys:
++      movl $-ENOSYS,PT_EAX(%esp)
++      jmp sysenter_after_call
+ END(syscall_badsys)
+       CFI_ENDPROC
+ /*
author	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Sat, 28 Jun 2014 16:36:45 +0000 (12:36 -0400)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Sat, 28 Jun 2014 16:36:45 +0000 (12:36 -0400)
queue-3.10/series		patch \| blob \| blame \| history
queue-3.10/x86_32-entry-do-syscall-exit-work-on-badsys-cve-2014-4508.patch	[new file with mode: 0644]	patch \| blob