From 2a8d61f909d9615e10065795b5934477200816bf Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 28 Jun 2014 12:36:45 -0400 Subject: [PATCH] 3.10-stable patches added patches: x86_32-entry-do-syscall-exit-work-on-badsys-cve-2014-4508.patch --- queue-3.10/series | 1 + ...ll-exit-work-on-badsys-cve-2014-4508.patch | 61 +++++++++++++++++++ 2 files changed, 62 insertions(+) create mode 100644 queue-3.10/x86_32-entry-do-syscall-exit-work-on-badsys-cve-2014-4508.patch diff --git a/queue-3.10/series b/queue-3.10/series index 5769c245c9b..3d529ba9a2d 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -74,3 +74,4 @@ btrfs-fix-use-of-uninit-ret-in-end_extent_writepage.patch usb-usbtest-add-timetout-to-simple_io.patch target-iser-improve-cm-events-handling.patch target-iser-wait-for-proper-cleanup-before-unloading.patch +x86_32-entry-do-syscall-exit-work-on-badsys-cve-2014-4508.patch diff --git a/queue-3.10/x86_32-entry-do-syscall-exit-work-on-badsys-cve-2014-4508.patch b/queue-3.10/x86_32-entry-do-syscall-exit-work-on-badsys-cve-2014-4508.patch new file mode 100644 index 00000000000..8e31dc1db2e --- /dev/null +++ b/queue-3.10/x86_32-entry-do-syscall-exit-work-on-badsys-cve-2014-4508.patch @@ -0,0 +1,61 @@ +From 554086d85e71f30abe46fc014fea31929a7c6a8a Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Mon, 23 Jun 2014 14:22:15 -0700 +Subject: x86_32, entry: Do syscall exit work on badsys (CVE-2014-4508) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Andy Lutomirski + +commit 554086d85e71f30abe46fc014fea31929a7c6a8a upstream. + +The bad syscall nr paths are their own incomprehensible route +through the entry control flow. Rearrange them to work just like +syscalls that return -ENOSYS. + +This fixes an OOPS in the audit code when fast-path auditing is +enabled and sysenter gets a bad syscall nr (CVE-2014-4508). + +This has probably been broken since Linux 2.6.27: +af0575bba0 i386 syscall audit fast-path + +Cc: Roland McGrath +Reported-by: Toralf Förster +Signed-off-by: Andy Lutomirski +Link: http://lkml.kernel.org/r/e09c499eade6fc321266dd6b54da7beb28d6991c.1403558229.git.luto@amacapital.net +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/entry_32.S | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/entry_32.S ++++ b/arch/x86/kernel/entry_32.S +@@ -434,9 +434,10 @@ sysenter_past_esp: + jnz sysenter_audit + sysenter_do_call: + cmpl $(NR_syscalls), %eax +- jae syscall_badsys ++ jae sysenter_badsys + call *sys_call_table(,%eax,4) + movl %eax,PT_EAX(%esp) ++sysenter_after_call: + LOCKDEP_SYS_EXIT + DISABLE_INTERRUPTS(CLBR_ANY) + TRACE_IRQS_OFF +@@ -686,7 +687,12 @@ END(syscall_fault) + + syscall_badsys: + movl $-ENOSYS,PT_EAX(%esp) +- jmp resume_userspace ++ jmp syscall_exit ++END(syscall_badsys) ++ ++sysenter_badsys: ++ movl $-ENOSYS,PT_EAX(%esp) ++ jmp sysenter_after_call + END(syscall_badsys) + CFI_ENDPROC + /* -- 2.47.3