kernel: CVE-2014-7825, CVE-2014-7826

Insufficient syscall number validation in perf and ftrace subsystems CVE-2014-7825 Fixes an out-of-bounds memory access flaw, in the syscall tracing functionality of the Linux kernel's perf subsystem. CVE-2014-7826 Fixes an out-of-bounds memory access flaw, in the syscall tracing functionality of the Linux kernel's ftrace subsystem. References: http://www.openwall.com/lists/oss-security/2014/11/06/11 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7825 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7826 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2015-03-02 11:43:59 +0100
committer: Zhenhua Luo <zhenhua.luo@freescale.com> 2015-03-06 16:28:49 +0800
commit: 19a183db9d8ac539b2640204ef01afa0b7d9a13e (patch)
tree: d1bb46eb11dffed82d0f10a6814b2b3ef83262d4 /recipes-kernel
parent: 91cc1736ead3b2808fc0868eeada9df5e754d446 (diff)
download: meta-fsl-ppc-19a183db9d8ac539b2640204ef01afa0b7d9a13e.tar.gz
2 files changed, 95 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/tracing-CVE-2014-7825_CVE-2014-7826.patch b/recipes-kernel/linux/files/tracing-CVE-2014-7825_CVE-2014-7826.patch
new file mode 100644
index 0000000..cc90f7d
--- /dev/null
+++ b/recipes-kernel/linux/files/tracing-CVE-2014-7825_CVE-2014-7826.patch
@@ -0,0 +1,94 @@
+From abc07cd01c51fb54088c6bc8ee654d104a5ec7d9 Mon Sep 17 00:00:00 2001
+From: Rabin Vincent <rabin@rab.in>
+Date: Wed, 29 Oct 2014 23:06:58 +0100
+Subject: [PATCH] tracing/syscalls: Ignore numbers outside NR_syscalls' range
+commit 086ba77a6db00ed858ff07451bedee197df868c9 upstream.
+ARM has some private syscalls (for example, set_tls(2)) which lie
+outside the range of NR_syscalls.  If any of these are called while
+syscall tracing is being performed, out-of-bounds array access will
+occur in the ftrace and perf sys_{enter,exit} handlers.
+ # trace-cmd record -e raw_syscalls:* true && trace-cmd report
+ ...
+ true-653   [000]   384.675777: sys_enter:            NR 192 (0, 1000, 3, 4000022, ffffffff, 0)
+ true-653   [000]   384.675812: sys_exit:             NR 192 = 1995915264
+ true-653   [000]   384.675971: sys_enter:            NR 983045 (76f74480, 76f74000, 76f74b28, 76f74480, 76f76f74, 1)
+ true-653   [000]   384.675988: sys_exit:             NR 983045 = 0
+ ...
+ # trace-cmd record -e syscalls:* true
+ [   17.289329] Unable to handle kernel paging request at virtual address aaaaaace
+ [   17.289590] pgd = 9e71c000
+ [   17.289696] [aaaaaace] *pgd=00000000
+ [   17.289985] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
+ [   17.290169] Modules linked in:
+ [   17.290391] CPU: 0 PID: 704 Comm: true Not tainted 3.18.0-rc2+ #21
+ [   17.290585] task: 9f4dab00 ti: 9e710000 task.ti: 9e710000
+ [   17.290747] PC is at ftrace_syscall_enter+0x48/0x1f8
+ [   17.290866] LR is at syscall_trace_enter+0x124/0x184
+Fix this by ignoring out-of-NR_syscalls-bounds syscall numbers.
+Commit cd0980fc8add "tracing: Check invalid syscall nr while tracing syscalls"
+added the check for less than zero, but it should have also checked
+for greater than NR_syscalls.
+Fixes CVE-2014-7825 and CVE-2014-7826
+Upstream-Status: Backport
+Link: http://lkml.kernel.org/p/1414620418-29472-1-git-send-email-rabin@rab.in
+Fixes: cd0980fc8add "tracing: Check invalid syscall nr while tracing syscalls"
+Signed-off-by: Rabin Vincent <rabin@rab.in>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ kernel/trace/trace_syscalls.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+diff --git a/kernel/trace/trace_syscalls.c b/kernel/trace/trace_syscalls.c
+index 559329d..d8ce71b 100644
+--- a/kernel/trace/trace_syscalls.c
+++ b/kernel/trace/trace_syscalls.c
+@@ -312,7 +312,7 @@ static void ftrace_syscall_enter(void *data, struct pt_regs *regs, long id)
+        int size;
+ 
+        syscall_nr = trace_get_syscall_nr(current, regs);
+-       if (syscall_nr < 0)
+       if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
+                return;
+        if (!test_bit(syscall_nr, tr->enabled_enter_syscalls))
+                return;
+@@ -354,7 +354,7 @@ static void ftrace_syscall_exit(void *data, struct pt_regs *regs, long ret)
+        int syscall_nr;
+ 
+        syscall_nr = trace_get_syscall_nr(current, regs);
+-       if (syscall_nr < 0)
+       if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
+                return;
+        if (!test_bit(syscall_nr, tr->enabled_exit_syscalls))
+                return;
+@@ -557,7 +557,7 @@ static void perf_syscall_enter(void *ignore, struct pt_regs *regs, long id)
+        int size;
+ 
+        syscall_nr = trace_get_syscall_nr(current, regs);
+-       if (syscall_nr < 0)
+       if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
+                return;
+        if (!test_bit(syscall_nr, enabled_perf_enter_syscalls))
+                return;
+@@ -631,7 +631,7 @@ static void perf_syscall_exit(void *ignore, struct pt_regs *regs, long ret)
+        int size;
+ 
+        syscall_nr = trace_get_syscall_nr(current, regs);
+-       if (syscall_nr < 0)
+       if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
+                return;
+        if (!test_bit(syscall_nr, enabled_perf_exit_syscalls))
+                return;
+-- 
+1.9.1
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb
index 527daf4..e7af627 100644
--- a/recipes-kernel/linux/linux-qoriq_3.12.bb
+++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -35,6 +35,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
    file://0002-shmem-CVE-2014-4171.patch \
    file://0003-shmem-CVE-2014-4171.patch \
    file://fs-CVE-2014-4014.patch \
+    file://tracing-CVE-2014-7825_CVE-2014-7826.patch \
 "
 SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2015-03-02 11:43:59 +0100
committer	Zhenhua Luo <zhenhua.luo@freescale.com>	2015-03-06 16:28:49 +0800
commit	19a183db9d8ac539b2640204ef01afa0b7d9a13e (patch)
tree	d1bb46eb11dffed82d0f10a6814b2b3ef83262d4 /recipes-kernel
parent	91cc1736ead3b2808fc0868eeada9df5e754d446 (diff)
download	meta-fsl-ppc-19a183db9d8ac539b2640204ef01afa0b7d9a13e.tar.gz

diff --git a/recipes-kernel/linux/files/tracing-CVE-2014-7825_CVE-2014-7826.patch b/recipes-kernel/linux/files/tracing-CVE-2014-7825_CVE-2014-7826.patch new file mode 100644 index 0000000..cc90f7d --- /dev/null +++ b/recipes-kernel/linux/files/tracing-CVE-2014-7825_CVE-2014-7826.patch
@@ -0,0 +1,94 @@
		1	From abc07cd01c51fb54088c6bc8ee654d104a5ec7d9 Mon Sep 17 00:00:00 2001
		2	From: Rabin Vincent <rabin@rab.in>
		3	Date: Wed, 29 Oct 2014 23:06:58 +0100
		4	Subject: [PATCH] tracing/syscalls: Ignore numbers outside NR_syscalls' range
		5
		6	commit 086ba77a6db00ed858ff07451bedee197df868c9 upstream.
		7
		8	ARM has some private syscalls (for example, set_tls(2)) which lie
		9	outside the range of NR_syscalls. If any of these are called while
		10	syscall tracing is being performed, out-of-bounds array access will
		11	occur in the ftrace and perf sys_{enter,exit} handlers.
		12
		13	# trace-cmd record -e raw_syscalls:* true && trace-cmd report
		14	...
		15	true-653 [000] 384.675777: sys_enter: NR 192 (0, 1000, 3, 4000022, ffffffff, 0)
		16	true-653 [000] 384.675812: sys_exit: NR 192 = 1995915264
		17	true-653 [000] 384.675971: sys_enter: NR 983045 (76f74480, 76f74000, 76f74b28, 76f74480, 76f76f74, 1)
		18	true-653 [000] 384.675988: sys_exit: NR 983045 = 0
		19	...
		20
		21	# trace-cmd record -e syscalls:* true
		22	[ 17.289329] Unable to handle kernel paging request at virtual address aaaaaace
		23	[ 17.289590] pgd = 9e71c000
		24	[ 17.289696] [aaaaaace] *pgd=00000000
		25	[ 17.289985] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
		26	[ 17.290169] Modules linked in:
		27	[ 17.290391] CPU: 0 PID: 704 Comm: true Not tainted 3.18.0-rc2+ #21
		28	[ 17.290585] task: 9f4dab00 ti: 9e710000 task.ti: 9e710000
		29	[ 17.290747] PC is at ftrace_syscall_enter+0x48/0x1f8
		30	[ 17.290866] LR is at syscall_trace_enter+0x124/0x184
		31
		32	Fix this by ignoring out-of-NR_syscalls-bounds syscall numbers.
		33
		34	Commit cd0980fc8add "tracing: Check invalid syscall nr while tracing syscalls"
		35	added the check for less than zero, but it should have also checked
		36	for greater than NR_syscalls.
		37
		38	Fixes CVE-2014-7825 and CVE-2014-7826
		39	Upstream-Status: Backport
		40
		41	Link: http://lkml.kernel.org/p/1414620418-29472-1-git-send-email-rabin@rab.in
		42
		43	Fixes: cd0980fc8add "tracing: Check invalid syscall nr while tracing syscalls"
		44	Signed-off-by: Rabin Vincent <rabin@rab.in>
		45	Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
		46	Signed-off-by: Jiri Slaby <jslaby@suse.cz>
		47	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		48	---
		49	kernel/trace/trace_syscalls.c \| 8 ++++----
		50	1 file changed, 4 insertions(+), 4 deletions(-)
		51
		52	diff --git a/kernel/trace/trace_syscalls.c b/kernel/trace/trace_syscalls.c
		53	index 559329d..d8ce71b 100644
		54	--- a/kernel/trace/trace_syscalls.c
		55	+++ b/kernel/trace/trace_syscalls.c
		56	@@ -312,7 +312,7 @@ static void ftrace_syscall_enter(void data, struct pt_regs regs, long id)
		57	int size;
		58
		59	syscall_nr = trace_get_syscall_nr(current, regs);
		60	- if (syscall_nr < 0)
		61	+ if (syscall_nr < 0 \|\| syscall_nr >= NR_syscalls)
		62	return;
		63	if (!test_bit(syscall_nr, tr->enabled_enter_syscalls))
		64	return;
		65	@@ -354,7 +354,7 @@ static void ftrace_syscall_exit(void data, struct pt_regs regs, long ret)
		66	int syscall_nr;
		67
		68	syscall_nr = trace_get_syscall_nr(current, regs);
		69	- if (syscall_nr < 0)
		70	+ if (syscall_nr < 0 \|\| syscall_nr >= NR_syscalls)
		71	return;
		72	if (!test_bit(syscall_nr, tr->enabled_exit_syscalls))
		73	return;
		74	@@ -557,7 +557,7 @@ static void perf_syscall_enter(void ignore, struct pt_regs regs, long id)
		75	int size;
		76
		77	syscall_nr = trace_get_syscall_nr(current, regs);
		78	- if (syscall_nr < 0)
		79	+ if (syscall_nr < 0 \|\| syscall_nr >= NR_syscalls)
		80	return;
		81	if (!test_bit(syscall_nr, enabled_perf_enter_syscalls))
		82	return;
		83	@@ -631,7 +631,7 @@ static void perf_syscall_exit(void ignore, struct pt_regs regs, long ret)
		84	int size;
		85
		86	syscall_nr = trace_get_syscall_nr(current, regs);
		87	- if (syscall_nr < 0)
		88	+ if (syscall_nr < 0 \|\| syscall_nr >= NR_syscalls)
		89	return;
		90	if (!test_bit(syscall_nr, enabled_perf_exit_syscalls))
		91	return;
		92	--
		93	1.9.1
		94


diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb index 527daf4..e7af627 100644 --- a/recipes-kernel/linux/linux-qoriq_3.12.bb +++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -35,6 +35,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
35	file://0002-shmem-CVE-2014-4171.patch \	35	file://0002-shmem-CVE-2014-4171.patch \
36	file://0003-shmem-CVE-2014-4171.patch \	36	file://0003-shmem-CVE-2014-4171.patch \
37	file://fs-CVE-2014-4014.patch \	37	file://fs-CVE-2014-4014.patch \
		38	file://tracing-CVE-2014-7825_CVE-2014-7826.patch \
38	"	39	"
39	SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"	40	SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
40		41