From f4a55466f032850b4ca8c495d76d06d18d77fb00 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Tue, 27 Jan 2015 14:04:08 +0100 Subject: kernel-auditsc: CVE-2014-3917 audit_krule mask accesses need bounds checking Reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3917 Signed-off-by: Sona Sarmadi --- .../linux/files/auditsc-CVE-2014-3917.patch | 91 ++++++++++++++++++++++ .../recipes-kernel/linux/linux-qoriq_3.12.bb | 1 + 2 files changed, 92 insertions(+) create mode 100644 meta-fsl-ppc/recipes-kernel/linux/files/auditsc-CVE-2014-3917.patch diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/auditsc-CVE-2014-3917.patch b/meta-fsl-ppc/recipes-kernel/linux/files/auditsc-CVE-2014-3917.patch new file mode 100644 index 00000000..a0bdc271 --- /dev/null +++ b/meta-fsl-ppc/recipes-kernel/linux/files/auditsc-CVE-2014-3917.patch @@ -0,0 +1,91 @@ +From 6004b0e5ac2e8e9e1bb0f012dc9242e03cca95df Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Wed, 28 May 2014 23:09:58 -0400 +Subject: [PATCH] auditsc: audit_krule mask accesses need bounds checking + +commit a3c54931199565930d6d84f4c3456f6440aefd41 upstream. + +Fixes an easy DoS and possible information disclosure. + +This does nothing about the broken state of x32 auditing. + +eparis: If the admin has enabled auditd and has specifically loaded +audit rules. This bug has been around since before git. Wow... + +This fixes CVE-2014-3917 +Upstream-Status: Backport + +Signed-off-by: Andy Lutomirski +Signed-off-by: Eric Paris +Signed-off-by: Linus Torvalds +Signed-off-by: Jiri Slaby +Signed-off-by: Sona Sarmadi +--- + kernel/auditsc.c | 27 ++++++++++++++++++--------- + 1 file changed, 18 insertions(+), 9 deletions(-) + +diff --git a/kernel/auditsc.c b/kernel/auditsc.c +index 3b79a47..979c00b 100644 +--- a/kernel/auditsc.c ++++ b/kernel/auditsc.c +@@ -733,6 +733,22 @@ static enum audit_state audit_filter_task(struct task_struct *tsk, char **key) + return AUDIT_BUILD_CONTEXT; + } + ++static int audit_in_mask(const struct audit_krule *rule, unsigned long val) ++{ ++ int word, bit; ++ ++ if (val > 0xffffffff) ++ return false; ++ ++ word = AUDIT_WORD(val); ++ if (word >= AUDIT_BITMASK_SIZE) ++ return false; ++ ++ bit = AUDIT_BIT(val); ++ ++ return rule->mask[word] & bit; ++} ++ + /* At syscall entry and exit time, this filter is called if the + * audit_state is not low enough that auditing cannot take place, but is + * also not high enough that we already know we have to write an audit +@@ -750,11 +766,8 @@ static enum audit_state audit_filter_syscall(struct task_struct *tsk, + + rcu_read_lock(); + if (!list_empty(list)) { +- int word = AUDIT_WORD(ctx->major); +- int bit = AUDIT_BIT(ctx->major); +- + list_for_each_entry_rcu(e, list, list) { +- if ((e->rule.mask[word] & bit) == bit && ++ if (audit_in_mask(&e->rule, ctx->major) && + audit_filter_rules(tsk, &e->rule, ctx, NULL, + &state, false)) { + rcu_read_unlock(); +@@ -774,20 +787,16 @@ static enum audit_state audit_filter_syscall(struct task_struct *tsk, + static int audit_filter_inode_name(struct task_struct *tsk, + struct audit_names *n, + struct audit_context *ctx) { +- int word, bit; + int h = audit_hash_ino((u32)n->ino); + struct list_head *list = &audit_inode_hash[h]; + struct audit_entry *e; + enum audit_state state; + +- word = AUDIT_WORD(ctx->major); +- bit = AUDIT_BIT(ctx->major); +- + if (list_empty(list)) + return 0; + + list_for_each_entry_rcu(e, list, list) { +- if ((e->rule.mask[word] & bit) == bit && ++ if (audit_in_mask(&e->rule, ctx->major) && + audit_filter_rules(tsk, &e->rule, ctx, n, &state, false)) { + ctx->current_state = state; + return 1; +-- +1.9.1 + diff --git a/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb b/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb index 96656322..bbbf4ba7 100644 --- a/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb +++ b/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb @@ -22,6 +22,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \ file://0001-net-sctp-CVE-2014-3673.patch \ file://0002-net-sctp-CVE-2014-3687.patch \ file://0003-net-sctp-CVE-2014-3688.patch \ + file://auditsc-CVE-2014-3917.patch \ " SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229" -- cgit v1.2.3-54-g00ecf