From: Andy Lutomirski <luto@amacapital.net>
To: Richard Weinberger <richard@nod.at>,
"H. Peter Anvin" <hpa@zytor.com>, X86 ML <x86@kernel.org>
Cc: "Toralf Förster" <toralf.foerster@gmx.de>,
"Eric Paris" <eparis@redhat.com>,
"Linux Kernel" <linux-kernel@vger.kernel.org>
Subject: Re: 3.15: kernel BUG at kernel/auditsc.c:1525!
Date: Mon, 16 Jun 2014 14:35:03 -0700 [thread overview]
Message-ID: <CALCETrW7U4AHG-a9oPbOt31z3wgzhjSu8b+yGpdM4+vNinKgsA@mail.gmail.com> (raw)
In-Reply-To: <539F5702.5050104@nod.at>
[-- Attachment #1: Type: text/plain, Size: 1153 bytes --]
[cc: hpa, x86 list]
On Mon, Jun 16, 2014 at 1:43 PM, Richard Weinberger <richard@nod.at> wrote:
> Am 16.06.2014 22:41, schrieb Toralf Förster:
>> Well, might be the mail:subject should be adapted, b/c the issue can be triggered in a 3.13.11 kernel too.
>> Unfortunately it does not appear within an UML guest, therefore an automated bisecting isn't possible I fear.
>
> You could try KVM. :)
Before you do that, just to clarify:
What bitness is your kernel? That is, are you on 32-bit or 64-bit kernel?
What bitness is your test case? 'file a.out' will say.
What does /proc/cpuinfo say in flags?
Can you try the attached patch? It's only compile-tested.
To hpa, etc: It appears that entry_32.S is missing any call to the
audit exit hook on the badsys path. If I'm diagnosing this bug report
correctly, this causes OOPSes.
The the world at large: it's increasingly apparent that no one (except
maybe the blackhats) has ever scrutinized the syscall auditing code.
This is two old severe bugs in the code that have probably been there
for a long time.
--Andy
--
Andy Lutomirski
AMA Capital Management, LLC
[-- Attachment #2: 0001-x86_32-entry-Fix-badsys-paths.patch --]
[-- Type: text/x-patch, Size: 1582 bytes --]
From 8b43bd2118d876cb3163e8f7d9cd8253da649335 Mon Sep 17 00:00:00 2001
Message-Id: <8b43bd2118d876cb3163e8f7d9cd8253da649335.1402954406.git.luto@amacapital.net>
From: Andy Lutomirski <luto@amacapital.net>
Date: Mon, 16 Jun 2014 14:28:19 -0700
Subject: [PATCH] x86_32,entry: Fix badsys paths
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The bad syscall nr paths are their own incomprehensible route
through the entry control flow. Rearrange them to work just like
syscalls that return -ENOSYS.
This should fix an OOPS in the audit code when auditing is enabled
and bad syscall nrs are used.
Reported-by: Toralf Förster <toralf.foerster@gmx.de>
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
---
arch/x86/kernel/entry_32.S | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
index 98313ff..eb6e07e 100644
--- a/arch/x86/kernel/entry_32.S
+++ b/arch/x86/kernel/entry_32.S
@@ -431,9 +431,10 @@ sysenter_past_esp:
jnz sysenter_audit
sysenter_do_call:
cmpl $(NR_syscalls), %eax
- jae syscall_badsys
+ jae sysenter_badsys
call *sys_call_table(,%eax,4)
movl %eax,PT_EAX(%esp)
+sysenter_after_call:
LOCKDEP_SYS_EXIT
DISABLE_INTERRUPTS(CLBR_ANY)
TRACE_IRQS_OFF
@@ -687,7 +688,12 @@ END(syscall_fault)
syscall_badsys:
movl $-ENOSYS,PT_EAX(%esp)
- jmp resume_userspace
+ jmp syscall_exit
+END(syscall_badsys)
+
+sysenter_badsys:
+ movl $-ENOSYS,PT_EAX(%esp)
+ jmp sysenter_after_call
END(syscall_badsys)
CFI_ENDPROC
/*
--
1.9.3
next prev parent reply other threads:[~2014-06-16 21:35 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-16 16:33 3.15: kernel BUG at kernel/auditsc.c:1525! Toralf Förster
2014-06-16 17:21 ` Richard Weinberger
2014-06-16 17:25 ` Andy Lutomirski
2014-06-16 17:29 ` Richard Weinberger
2014-06-16 17:32 ` Andy Lutomirski
2014-06-16 17:36 ` Toralf Förster
2014-06-16 17:50 ` Andy Lutomirski
2014-06-16 17:59 ` Toralf Förster
2014-06-16 18:15 ` Andy Lutomirski
2014-06-16 18:21 ` Toralf Förster
2014-06-16 18:24 ` Andy Lutomirski
2014-06-16 18:36 ` Toralf Förster
2014-06-16 20:41 ` Toralf Förster
2014-06-16 20:43 ` Richard Weinberger
2014-06-16 21:35 ` Andy Lutomirski [this message]
2014-06-16 21:48 ` H. Peter Anvin
2014-06-16 21:54 ` Andy Lutomirski
2014-06-16 21:58 ` H. Peter Anvin
2014-06-16 22:00 ` Andy Lutomirski
2014-06-20 15:41 ` Andy Lutomirski
2014-06-20 17:35 ` Toralf Förster
2014-06-23 21:04 ` Josh Boyer
2014-06-23 21:22 ` [PATCH] x86_32,entry: Do syscall exit work on badsys (CVE-2014-4508) Andy Lutomirski
2014-06-23 22:18 ` [tip:x86/urgent] x86_32, entry: Do syscall exit work on badsys ( CVE-2014-4508) tip-bot for Andy Lutomirski
2014-06-24 10:51 ` [PATCH] x86_32,entry: Do syscall exit work on badsys (CVE-2014-4508) Borislav Petkov
2014-06-24 20:53 ` Andy Lutomirski
2014-06-24 21:18 ` Borislav Petkov
2014-07-01 10:52 ` Quentin Casasnovas
2014-07-01 14:14 ` Andy Lutomirski
2014-06-17 15:38 ` 3.15: kernel BUG at kernel/auditsc.c:1525! Toralf Förster
2014-06-17 16:19 ` Andy Lutomirski
2014-06-20 4:44 ` Fwd: " Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CALCETrW7U4AHG-a9oPbOt31z3wgzhjSu8b+yGpdM4+vNinKgsA@mail.gmail.com \
--to=luto@amacapital.net \
--cc=eparis@redhat.com \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=richard@nod.at \
--cc=toralf.foerster@gmx.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.