linux-cavium: CVE-2017-5669

Shmat allows mmap null page protection bypass Reference: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-5669 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2017-09-29 12:28:01 +0200
committer: Adrian Dudau <adrian.dudau@enea.com> 2017-09-29 13:08:46 +0200
commit: e5dfc5da18f3734979f44c47f1442484b40feb24 (patch)
tree: 87ccee3820ace45d16d071c1a9465c2034b7bc73
parent: 457bb241d20a2434228b566dc74a2a4bbee6c4ef (diff)
download: meta-enea-bsp-arm-e5dfc5da18f3734979f44c47f1442484b40feb24.tar.gz
2 files changed, 82 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-5669.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-5669.patch
new file mode 100644
index 0000000..7dcd09a
--- /dev/null
+++ b/recipes-kernel/linux/linux-cavium/CVE-2017-5669.patch
@@ -0,0 +1,81 @@
+From 270e84a1e6effd6c0c6e9b13b196b5fdaa392954 Mon Sep 17 00:00:00 2001
+From: Davidlohr Bueso <dave@stgolabs.net>
+Date: Mon, 27 Feb 2017 14:28:24 -0800
+Subject: [PATCH] ipc/shm: Fix shmat mmap nil-page protection
+commit 95e91b831f87ac8e1f8ed50c14d709089b4e01b8 upstream.
+The issue is described here, with a nice testcase:
+    https://bugzilla.kernel.org/show_bug.cgi?id=192931
+The problem is that shmat() calls do_mmap_pgoff() with MAP_FIXED, and
+the address rounded down to 0.  For the regular mmap case, the
+protection mentioned above is that the kernel gets to generate the
+address -- arch_get_unmapped_area() will always check for MAP_FIXED and
+return that address.  So by the time we do security_mmap_addr(0) things
+get funky for shmat().
+The testcase itself shows that while a regular user crashes, root will
+not have a problem attaching a nil-page.  There are two possible fixes
+to this.  The first, and which this patch does, is to simply allow root
+to crash as well -- this is also regular mmap behavior, ie when hacking
+up the testcase and adding mmap(...  |MAP_FIXED).  While this approach
+is the safer option, the second alternative is to ignore SHM_RND if the
+rounded address is 0, thus only having MAP_SHARED flags.  This makes the
+behavior of shmat() identical to the mmap() case.  The downside of this
+is obviously user visible, but does make sense in that it maintains
+semantics after the round-down wrt 0 address and mmap.
+Passes shm related ltp tests.
+CVE: CVE-2017-5669
+Upstream-Status: Backport [from kernel.org longterm 4.9.52]
+Link: http://lkml.kernel.org/r/1486050195-18629-1-git-send-email-dave@stgolabs.net
+Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
+Reported-by: Gareth Evans <gareth.evans@contextis.co.uk>
+Cc: Manfred Spraul <manfred@colorfullife.com>
+Cc: Michael Kerrisk <mtk.manpages@googlemail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ ipc/shm.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+diff --git a/ipc/shm.c b/ipc/shm.c
+index dbac886..e2072ae 100644
+--- a/ipc/shm.c
+++ b/ipc/shm.c
+@@ -1085,8 +1085,8 @@ static int shmctl_nolock(struct ipc_namespace *ns, int shmid,
+  * "raddr" thing points to kernel space, and there has to be a wrapper around
+  * this.
+  */
+-long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
+-             unsigned long shmlba)
+long do_shmat(int shmid, char __user *shmaddr, int shmflg,
+             ulong *raddr, unsigned long shmlba)
+ {
+        struct shmid_kernel *shp;
+        unsigned long addr;
+@@ -1107,8 +1107,13 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
+                goto out;
+        else if ((addr = (ulong)shmaddr)) {
+                if (addr & (shmlba - 1)) {
+-                       if (shmflg & SHM_RND)
+-                               addr &= ~(shmlba - 1);     /* round down */
+                       /*
+                        * Round down to the nearest multiple of shmlba.
+                        * For sane do_mmap_pgoff() parameters, avoid
+                        * round downs that trigger nil-page and MAP_FIXED.
+                        */
+                       if ((shmflg & SHM_RND) && addr >= shmlba)
+                               addr &= ~(shmlba - 1);
+                        else
+ #ifndef __ARCH_FORCE_SHMLBA
+                                if (addr & ~PAGE_MASK)
+-- 
+1.9.1
diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc
index 8ff28fd..e35c12f 100644
--- a/recipes-kernel/linux/linux-cavium_4.9.inc
+++ b/recipes-kernel/linux/linux-cavium_4.9.inc
@@ -19,6 +19,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi
           file://CVE-2016-10208.patch \
           file://CVE-2017-5551.patch \
           file://CVE-2017-5577.patch \
+           file://CVE-2017-5669.patch \
           file://CVE-2017-7487.patch \
           file://CVE-2017-7618.patch \
           file://CVE-2017-7645.patch \
author	Sona Sarmadi <sona.sarmadi@enea.com>	2017-09-29 12:28:01 +0200
committer	Adrian Dudau <adrian.dudau@enea.com>	2017-09-29 13:08:46 +0200
commit	e5dfc5da18f3734979f44c47f1442484b40feb24 (patch)
tree	87ccee3820ace45d16d071c1a9465c2034b7bc73
parent	457bb241d20a2434228b566dc74a2a4bbee6c4ef (diff)
download	meta-enea-bsp-arm-e5dfc5da18f3734979f44c47f1442484b40feb24.tar.gz

diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-5669.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-5669.patch new file mode 100644 index 0000000..7dcd09a --- /dev/null +++ b/recipes-kernel/linux/linux-cavium/CVE-2017-5669.patch
@@ -0,0 +1,81 @@
		1	From 270e84a1e6effd6c0c6e9b13b196b5fdaa392954 Mon Sep 17 00:00:00 2001
		2	From: Davidlohr Bueso <dave@stgolabs.net>
		3	Date: Mon, 27 Feb 2017 14:28:24 -0800
		4	Subject: [PATCH] ipc/shm: Fix shmat mmap nil-page protection
		5
		6	commit 95e91b831f87ac8e1f8ed50c14d709089b4e01b8 upstream.
		7
		8	The issue is described here, with a nice testcase:
		9
		10	https://bugzilla.kernel.org/show_bug.cgi?id=192931
		11
		12	The problem is that shmat() calls do_mmap_pgoff() with MAP_FIXED, and
		13	the address rounded down to 0. For the regular mmap case, the
		14	protection mentioned above is that the kernel gets to generate the
		15	address -- arch_get_unmapped_area() will always check for MAP_FIXED and
		16	return that address. So by the time we do security_mmap_addr(0) things
		17	get funky for shmat().
		18
		19	The testcase itself shows that while a regular user crashes, root will
		20	not have a problem attaching a nil-page. There are two possible fixes
		21	to this. The first, and which this patch does, is to simply allow root
		22	to crash as well -- this is also regular mmap behavior, ie when hacking
		23	up the testcase and adding mmap(... \|MAP_FIXED). While this approach
		24	is the safer option, the second alternative is to ignore SHM_RND if the
		25	rounded address is 0, thus only having MAP_SHARED flags. This makes the
		26	behavior of shmat() identical to the mmap() case. The downside of this
		27	is obviously user visible, but does make sense in that it maintains
		28	semantics after the round-down wrt 0 address and mmap.
		29
		30	Passes shm related ltp tests.
		31
		32	CVE: CVE-2017-5669
		33	Upstream-Status: Backport [from kernel.org longterm 4.9.52]
		34
		35	Link: http://lkml.kernel.org/r/1486050195-18629-1-git-send-email-dave@stgolabs.net
		36	Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
		37	Reported-by: Gareth Evans <gareth.evans@contextis.co.uk>
		38	Cc: Manfred Spraul <manfred@colorfullife.com>
		39	Cc: Michael Kerrisk <mtk.manpages@googlemail.com>
		40	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
		41	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
		42	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		43	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		44	---
		45	ipc/shm.c \| 13 +++++++++----
		46	1 file changed, 9 insertions(+), 4 deletions(-)
		47
		48	diff --git a/ipc/shm.c b/ipc/shm.c
		49	index dbac886..e2072ae 100644
		50	--- a/ipc/shm.c
		51	+++ b/ipc/shm.c
		52	@@ -1085,8 +1085,8 @@ static int shmctl_nolock(struct ipc_namespace *ns, int shmid,
		53	* "raddr" thing points to kernel space, and there has to be a wrapper around
		54	* this.
		55	*/
		56	-long do_shmat(int shmid, char __user shmaddr, int shmflg, ulong raddr,
		57	- unsigned long shmlba)
		58	+long do_shmat(int shmid, char __user *shmaddr, int shmflg,
		59	+ ulong *raddr, unsigned long shmlba)
		60	{
		61	struct shmid_kernel *shp;
		62	unsigned long addr;
		63	@@ -1107,8 +1107,13 @@ long do_shmat(int shmid, char __user shmaddr, int shmflg, ulong raddr,
		64	goto out;
		65	else if ((addr = (ulong)shmaddr)) {
		66	if (addr & (shmlba - 1)) {
		67	- if (shmflg & SHM_RND)
		68	- addr &= ~(shmlba - 1); /* round down */
		69	+ /*
		70	+ * Round down to the nearest multiple of shmlba.
		71	+ * For sane do_mmap_pgoff() parameters, avoid
		72	+ * round downs that trigger nil-page and MAP_FIXED.
		73	+ */
		74	+ if ((shmflg & SHM_RND) && addr >= shmlba)
		75	+ addr &= ~(shmlba - 1);
		76	else
		77	#ifndef __ARCH_FORCE_SHMLBA
		78	if (addr & ~PAGE_MASK)
		79	--
		80	1.9.1
		81


diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc index 8ff28fd..e35c12f 100644 --- a/recipes-kernel/linux/linux-cavium_4.9.inc +++ b/recipes-kernel/linux/linux-cavium_4.9.inc
@@ -19,6 +19,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi
19	file://CVE-2016-10208.patch \	19	file://CVE-2016-10208.patch \
20	file://CVE-2017-5551.patch \	20	file://CVE-2017-5551.patch \
21	file://CVE-2017-5577.patch \	21	file://CVE-2017-5577.patch \
		22	file://CVE-2017-5669.patch \
22	file://CVE-2017-7487.patch \	23	file://CVE-2017-7487.patch \
23	file://CVE-2017-7618.patch \	24	file://CVE-2017-7618.patch \
24	file://CVE-2017-7645.patch \	25	file://CVE-2017-7645.patch \