[PATCH-v3.14.y 0/6] x86/nmi/64: Stable backports for CVE-2015-3290 and CVE-2015-5157

From: Thomas D <whissi@whissi.de>
To: stable@vger.kernel.org
Cc: luto@kernel.org, Thomas D <whissi@whissi.de>
Subject: [PATCH-v3.14.y 0/6] x86/nmi/64: Stable backports for CVE-2015-3290 and CVE-2015-5157
Date: Tue, 18 Aug 2015 00:55:19 +0200	[thread overview]
Message-ID: <1439852125-6581-1-git-send-email-whissi@whissi.de> (raw)
In-Reply-To: <20150817132349.GA26797@kroah.com>

Hi,

here's my backport for CVE-2015-3290 and linux-3.14.

How I tested the backport:

1. I compiled and booted vanilla linux-3.14.51.

2. I run the public exploit for CVE-2015-3290 [1] from Andrew Lutomirski
   against the kernel. Nothing really happened but I saw output I
   shouldn't see. While the exploit was still hammering the system I
   started the public exploit for CVE-2015-5157 [2] (also from Andrew) in
   addition.

3. Now the system logged 

> Aug 17 17:26:09 vm-gentoo-x64 kernel: [  808.874717] kernel BUG at arch/x86/kernel/traps.c:413!
> Aug 17 17:26:09 vm-gentoo-x64 kernel: [  808.875987] invalid opcode: 0000 [#2] SMP
> Aug 17 17:26:09 vm-gentoo-x64 kernel: [  808.877267] Modules linked in: xt_recent xt_comment ipt_REJECT xt_addrtype xt_mark xt_CT xt_multiport ipt_ULOG xt_NFLOG nfnetlink_log xt_LOG nf_nat_tftp nf_nat_snmp_basic nf_conntrack_snmp nf_nat_sip nf_nat_pptp nf_nat_proto_gre nf_nat_irc nf_nat_h323 nf_nat_ftp nf_nat_amanda ts_kmp nf_conntrack_amanda nf_conntrack_sane nf_conntrack_tftp nf_conntrack_sip nf_conntrack_proto_udplite nf_conntrack_proto_sctp nf_conntrack_pptp nf_conntrack_proto_gre nf_conntrack_netlink nfnetlink nf_conntrack_netbios_ns nf_conntrack_broadcast nf_conntrack_irc nf_conntrack_h323 nf_conntrack_ftp xt_tcpudp xt_conntrack iptable_mangle iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_raw iptable_filter ip_tables x_tables binfmt_misc coretemp microcode psmouse pcspkr libcrc32c dm_log_userspace vmxnet3 e1000 fuse nfs lockd sunrpc fscache dm_snapshot dm_bufio dm_mirror dm_region_hash dm_log usb_storage
> Aug 17 17:26:09 vm-gentoo-x64 kernel: [  808.886469] CPU: 0 PID: 15061 Comm: CVE-2015-5157 Tainted: G      D      3.14.51 #1
> Aug 17 17:26:09 vm-gentoo-x64 kernel: [  808.888055] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/20/2014
> Aug 17 17:26:09 vm-gentoo-x64 kernel: [  808.889664] task: ffff8800b9c40000 ti: ffff8800b9eb4000 task.ti: ffff8800b9eb4000
> Aug 17 17:26:09 vm-gentoo-x64 kernel: [  808.891250] RIP: 0010:[<ffffffff81621280>]  [<ffffffff81621280>] fixup_bad_iret+0x60/0x70
> Aug 17 17:26:09 vm-gentoo-x64 kernel: [  808.892913] RSP: 0000:ffff88013fc05ec8  EFLAGS: 00010046
> Aug 17 17:26:09 vm-gentoo-x64 kernel: [  808.894459] RAX: ffff8800b9eb5f50 RBX: ffff8800b9eb5f50 RCX: ffffffff81620827
> Aug 17 17:26:09 vm-gentoo-x64 kernel: [  808.895944] RDX: 0000000000000008 RSI: ffff88013fc05f70 RDI: ffff8800b9eb5fd0
> Aug 17 17:26:09 vm-gentoo-x64 kernel: [  808.897387] RBP: ffff88013fc05ee0 R08: 00000000ffe58efc R09: 0000000000000000
> Aug 17 17:26:09 vm-gentoo-x64 kernel: [  808.898796] R10: 0000000000000004 R11: 0000000000000004 R12: ffff8800b9eb6000
> Aug 17 17:26:09 vm-gentoo-x64 kernel: [  808.900178] R13: ffff88013fc05ef0 R14: 0000000000000000 R15: 0000000000000000
> Aug 17 17:26:09 vm-gentoo-x64 kernel: [  808.901554] FS:  0000000000000000(0000) GS:ffff88013fc00000(0063) knlGS:00000000f75c7940
> Aug 17 17:26:09 vm-gentoo-x64 kernel: [  808.903066] CS:  0010 DS: 002b ES: 002b CR0: 000000008005003b
> Aug 17 17:26:09 vm-gentoo-x64 kernel: [  808.904771] CR2: 00000000f75f4320 CR3: 00000000b9e47000 CR4: 00000000001407f0
> Aug 17 17:26:09 vm-gentoo-x64 kernel: [  808.906599] Stack:
> Aug 17 17:26:09 vm-gentoo-x64 kernel: [  808.908242]  0000000000000001 0000000000000000 0000000000000000 00000000ffe58f18
> Aug 17 17:26:09 vm-gentoo-x64 kernel: [  808.909886]  ffffffff81620c31 ffffffff816209dc 0000000000000000 0000000000000000
> Aug 17 17:26:09 vm-gentoo-x64 kernel: [  808.911241]  0000000000000000 0000000000000000 00000000ffe58f18 00000000ffe58e70
> Aug 17 17:26:09 vm-gentoo-x64 kernel: [  808.912701] Call Trace:
> Aug 17 17:26:09 vm-gentoo-x64 kernel: [  808.914201]  <NMI>
> Aug 17 17:26:09 vm-gentoo-x64 kernel: [  808.914216]  [<ffffffff81620c31>] error_bad_iret+0xb/0x1a
> Aug 17 17:26:09 vm-gentoo-x64 kernel: [  808.916857]  [<ffffffff816209dc>] ? general_protection+0xc/0x30
> Aug 17 17:26:09 vm-gentoo-x64 kernel: [  808.918193]  [<ffffffff81620827>] ? native_iret+0x7/0x7
> Aug 17 17:26:09 vm-gentoo-x64 kernel: [  808.919493]  [<ffffffff81620d27>] ? first_nmi+0x1e/0x1e
> Aug 17 17:26:09 vm-gentoo-x64 kernel: [  808.920790]  [<ffffffff816209d0>] ? stack_segment+0x30/0x30
> Aug 17 17:26:09 vm-gentoo-x64 kernel: [  808.922079]  <<EOE>>
> Aug 17 17:26:09 vm-gentoo-x64 kernel: [  808.922092] Code: 00 00 e8 14 71 d2 ff ba 88 00 00 00 4c 89 ee 48 89 df e8 04 71 d2 ff 41 f6 44 24 e0 03 74 0c 48 89 d8 5b 41 5c 41 5d 5d c3 66 90 <0f> 0b 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00
> Aug 17 17:26:09 vm-gentoo-x64 kernel: [  808.926265] RIP  [<ffffffff81621280>] fixup_bad_iret+0x60/0x70
> Aug 17 17:26:09 vm-gentoo-x64 kernel: [  808.927620]  RSP <ffff88013fc05ec8>

and finally crashed (rebooted).

4. After I backported the fixes, I re-compiled the kernel and tested again.

5. Nothing happens. No crash anymore, nor output. Well, that's not 100%
   correct, kernel logged

Aug 17 23:52:50 vm-gentoo-x64 kernel: [  355.090003] Uhhuh. NMI received for unknown reason 31 on CPU 0.
Aug 17 23:52:50 vm-gentoo-x64 kernel: [  355.090279] Do you have a strange power saving mode enabled?
Aug 17 23:52:50 vm-gentoo-x64 kernel: [  355.090549] Dazed and confused, but trying to continue

   while running exploit from CVE-2015-5157 but this seems to be OK.

But please before you accept the backport, someone needs to review and
acknowledge at least commit 6d420d6f05010e7113ddf04c748ca137ed2aea54
(x86/nmi/64: Switch stacks on userspace NMI entry) in detail:

3.14.y has no "restore_c_regs_and_iret" lable so I added the "Open-code
the entire return process for compatibility with varying" block with the
additional addq/popq calls I found in Debian's patch for 3.16.y [3].

But to be honest I don't know what I am doing here so please review.

Thanks!

See also:
=========
[1] http://www.openwall.com/lists/oss-security/2015/08/04/8

[2] http://www.openwall.com/lists/oss-security/2015/07/22/7

[3] https://anonscm.debian.org/cgit/kernel/linux.git/tree/debian/patches/bugfix/x86/0006-x86-nmi-64-Switch-stacks-on-userspace-NMI-entry.patch?h=jessie#n112

Andy Lutomirski (6):
  x86/nmi: Enable nested do_nmi() handling for 64-bit kernels
  x86/nmi/64: Remove asm code that saves CR2
  x86/nmi/64: Switch stacks on userspace NMI entry
  x86/nmi/64: Improve nested NMI comments
  x86/nmi/64: Reorder nested NMI checks
  x86/nmi/64: Use DF to avoid userspace RSP confusing nested NMI
    detection

 arch/x86/kernel/entry_64.S | 296 ++++++++++++++++++++++++++++++---------------
 arch/x86/kernel/nmi.c      | 123 ++++++++-----------
 2 files changed, 249 insertions(+), 170 deletions(-)

-- 
2.5.0