From: Greg Kroah-Hartman Date: Sat, 28 Jun 2014 16:37:15 +0000 (-0400) Subject: 3.4-stable patches X-Git-Tag: v3.4.96~2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=33895a1e0ce768abd2f07d95066bdbcdfcf635af;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: x86_32-entry-do-syscall-exit-work-on-badsys-cve-2014-4508.patch --- diff --git a/queue-3.4/series b/queue-3.4/series index f1e6e788962..dca22826fa8 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -40,3 +40,4 @@ fs-btrfs-volumes.c-fix-for-possible-null-pointer-dereference.patch btrfs-use-right-type-to-get-real-comparison.patch btrfs-fix-use-of-uninit-ret-in-end_extent_writepage.patch usb-usbtest-add-timetout-to-simple_io.patch +x86_32-entry-do-syscall-exit-work-on-badsys-cve-2014-4508.patch diff --git a/queue-3.4/x86_32-entry-do-syscall-exit-work-on-badsys-cve-2014-4508.patch b/queue-3.4/x86_32-entry-do-syscall-exit-work-on-badsys-cve-2014-4508.patch new file mode 100644 index 00000000000..c73a90f2698 --- /dev/null +++ b/queue-3.4/x86_32-entry-do-syscall-exit-work-on-badsys-cve-2014-4508.patch @@ -0,0 +1,61 @@ +From 554086d85e71f30abe46fc014fea31929a7c6a8a Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Mon, 23 Jun 2014 14:22:15 -0700 +Subject: x86_32, entry: Do syscall exit work on badsys (CVE-2014-4508) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Andy Lutomirski + +commit 554086d85e71f30abe46fc014fea31929a7c6a8a upstream. + +The bad syscall nr paths are their own incomprehensible route +through the entry control flow. Rearrange them to work just like +syscalls that return -ENOSYS. + +This fixes an OOPS in the audit code when fast-path auditing is +enabled and sysenter gets a bad syscall nr (CVE-2014-4508). + +This has probably been broken since Linux 2.6.27: +af0575bba0 i386 syscall audit fast-path + +Cc: Roland McGrath +Reported-by: Toralf Förster +Signed-off-by: Andy Lutomirski +Link: http://lkml.kernel.org/r/e09c499eade6fc321266dd6b54da7beb28d6991c.1403558229.git.luto@amacapital.net +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/entry_32.S | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/entry_32.S ++++ b/arch/x86/kernel/entry_32.S +@@ -426,9 +426,10 @@ sysenter_past_esp: + jnz sysenter_audit + sysenter_do_call: + cmpl $(NR_syscalls), %eax +- jae syscall_badsys ++ jae sysenter_badsys + call *sys_call_table(,%eax,4) + movl %eax,PT_EAX(%esp) ++sysenter_after_call: + LOCKDEP_SYS_EXIT + DISABLE_INTERRUPTS(CLBR_ANY) + TRACE_IRQS_OFF +@@ -678,7 +679,12 @@ END(syscall_fault) + + syscall_badsys: + movl $-ENOSYS,PT_EAX(%esp) +- jmp resume_userspace ++ jmp syscall_exit ++END(syscall_badsys) ++ ++sysenter_badsys: ++ movl $-ENOSYS,PT_EAX(%esp) ++ jmp sysenter_after_call + END(syscall_badsys) + CFI_ENDPROC + /*