diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2017-09-29 12:28:01 +0200 |
---|---|---|
committer | Adrian Dudau <adrian.dudau@enea.com> | 2017-09-29 13:08:46 +0200 |
commit | e5dfc5da18f3734979f44c47f1442484b40feb24 (patch) | |
tree | 87ccee3820ace45d16d071c1a9465c2034b7bc73 /recipes-kernel | |
parent | 457bb241d20a2434228b566dc74a2a4bbee6c4ef (diff) | |
download | meta-enea-bsp-arm-e5dfc5da18f3734979f44c47f1442484b40feb24.tar.gz |
linux-cavium: CVE-2017-5669
Shmat allows mmap null page protection bypass
Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-5669
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
Diffstat (limited to 'recipes-kernel')
-rw-r--r-- | recipes-kernel/linux/linux-cavium/CVE-2017-5669.patch | 81 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-cavium_4.9.inc | 1 |
2 files changed, 82 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-5669.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-5669.patch new file mode 100644 index 0000000..7dcd09a --- /dev/null +++ b/recipes-kernel/linux/linux-cavium/CVE-2017-5669.patch | |||
@@ -0,0 +1,81 @@ | |||
1 | From 270e84a1e6effd6c0c6e9b13b196b5fdaa392954 Mon Sep 17 00:00:00 2001 | ||
2 | From: Davidlohr Bueso <dave@stgolabs.net> | ||
3 | Date: Mon, 27 Feb 2017 14:28:24 -0800 | ||
4 | Subject: [PATCH] ipc/shm: Fix shmat mmap nil-page protection | ||
5 | |||
6 | commit 95e91b831f87ac8e1f8ed50c14d709089b4e01b8 upstream. | ||
7 | |||
8 | The issue is described here, with a nice testcase: | ||
9 | |||
10 | https://bugzilla.kernel.org/show_bug.cgi?id=192931 | ||
11 | |||
12 | The problem is that shmat() calls do_mmap_pgoff() with MAP_FIXED, and | ||
13 | the address rounded down to 0. For the regular mmap case, the | ||
14 | protection mentioned above is that the kernel gets to generate the | ||
15 | address -- arch_get_unmapped_area() will always check for MAP_FIXED and | ||
16 | return that address. So by the time we do security_mmap_addr(0) things | ||
17 | get funky for shmat(). | ||
18 | |||
19 | The testcase itself shows that while a regular user crashes, root will | ||
20 | not have a problem attaching a nil-page. There are two possible fixes | ||
21 | to this. The first, and which this patch does, is to simply allow root | ||
22 | to crash as well -- this is also regular mmap behavior, ie when hacking | ||
23 | up the testcase and adding mmap(... |MAP_FIXED). While this approach | ||
24 | is the safer option, the second alternative is to ignore SHM_RND if the | ||
25 | rounded address is 0, thus only having MAP_SHARED flags. This makes the | ||
26 | behavior of shmat() identical to the mmap() case. The downside of this | ||
27 | is obviously user visible, but does make sense in that it maintains | ||
28 | semantics after the round-down wrt 0 address and mmap. | ||
29 | |||
30 | Passes shm related ltp tests. | ||
31 | |||
32 | CVE: CVE-2017-5669 | ||
33 | Upstream-Status: Backport [from kernel.org longterm 4.9.52] | ||
34 | |||
35 | Link: http://lkml.kernel.org/r/1486050195-18629-1-git-send-email-dave@stgolabs.net | ||
36 | Signed-off-by: Davidlohr Bueso <dbueso@suse.de> | ||
37 | Reported-by: Gareth Evans <gareth.evans@contextis.co.uk> | ||
38 | Cc: Manfred Spraul <manfred@colorfullife.com> | ||
39 | Cc: Michael Kerrisk <mtk.manpages@googlemail.com> | ||
40 | Signed-off-by: Andrew Morton <akpm@linux-foundation.org> | ||
41 | Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> | ||
42 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
43 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
44 | --- | ||
45 | ipc/shm.c | 13 +++++++++---- | ||
46 | 1 file changed, 9 insertions(+), 4 deletions(-) | ||
47 | |||
48 | diff --git a/ipc/shm.c b/ipc/shm.c | ||
49 | index dbac886..e2072ae 100644 | ||
50 | --- a/ipc/shm.c | ||
51 | +++ b/ipc/shm.c | ||
52 | @@ -1085,8 +1085,8 @@ static int shmctl_nolock(struct ipc_namespace *ns, int shmid, | ||
53 | * "raddr" thing points to kernel space, and there has to be a wrapper around | ||
54 | * this. | ||
55 | */ | ||
56 | -long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr, | ||
57 | - unsigned long shmlba) | ||
58 | +long do_shmat(int shmid, char __user *shmaddr, int shmflg, | ||
59 | + ulong *raddr, unsigned long shmlba) | ||
60 | { | ||
61 | struct shmid_kernel *shp; | ||
62 | unsigned long addr; | ||
63 | @@ -1107,8 +1107,13 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr, | ||
64 | goto out; | ||
65 | else if ((addr = (ulong)shmaddr)) { | ||
66 | if (addr & (shmlba - 1)) { | ||
67 | - if (shmflg & SHM_RND) | ||
68 | - addr &= ~(shmlba - 1); /* round down */ | ||
69 | + /* | ||
70 | + * Round down to the nearest multiple of shmlba. | ||
71 | + * For sane do_mmap_pgoff() parameters, avoid | ||
72 | + * round downs that trigger nil-page and MAP_FIXED. | ||
73 | + */ | ||
74 | + if ((shmflg & SHM_RND) && addr >= shmlba) | ||
75 | + addr &= ~(shmlba - 1); | ||
76 | else | ||
77 | #ifndef __ARCH_FORCE_SHMLBA | ||
78 | if (addr & ~PAGE_MASK) | ||
79 | -- | ||
80 | 1.9.1 | ||
81 | |||
diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc index 8ff28fd..e35c12f 100644 --- a/recipes-kernel/linux/linux-cavium_4.9.inc +++ b/recipes-kernel/linux/linux-cavium_4.9.inc | |||
@@ -19,6 +19,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi | |||
19 | file://CVE-2016-10208.patch \ | 19 | file://CVE-2016-10208.patch \ |
20 | file://CVE-2017-5551.patch \ | 20 | file://CVE-2017-5551.patch \ |
21 | file://CVE-2017-5577.patch \ | 21 | file://CVE-2017-5577.patch \ |
22 | file://CVE-2017-5669.patch \ | ||
22 | file://CVE-2017-7487.patch \ | 23 | file://CVE-2017-7487.patch \ |
23 | file://CVE-2017-7618.patch \ | 24 | file://CVE-2017-7618.patch \ |
24 | file://CVE-2017-7645.patch \ | 25 | file://CVE-2017-7645.patch \ |