kernel: CVE-2014-7825, CVE-2014-7826

author Sona Sarmadi <sona.sarmadi@enea.com>

Mon, 2 Mar 2015 10:43:59 +0000 (11:43 +0100)

committer Zhenhua Luo <zhenhua.luo@freescale.com>

Fri, 6 Mar 2015 08:28:49 +0000 (16:28 +0800)
author Sona Sarmadi <sona.sarmadi@enea.com>
Mon, 2 Mar 2015 10:43:59 +0000 (11:43 +0100)
committer Zhenhua Luo <zhenhua.luo@freescale.com>
Fri, 6 Mar 2015 08:28:49 +0000 (16:28 +0800)
diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/tracing-CVE-2014-7825_CVE-2014-7826.patch b/meta-fsl-ppc/recipes-kernel/linux/files/tracing-CVE-2014-7825_CVE-2014-7826.patch

new file mode 100644 (file)

index 0000000..cc90f7d
--- /dev/null
+++ b/meta-fsl-ppc/recipes-kernel/linux/files/tracing-CVE-2014-7825_CVE-2014-7826.patch
@@ -0,0 +1,94 @@
+From abc07cd01c51fb54088c6bc8ee654d104a5ec7d9 Mon Sep 17 00:00:00 2001
+From: Rabin Vincent <rabin@rab.in>
+Date: Wed, 29 Oct 2014 23:06:58 +0100
+Subject: [PATCH] tracing/syscalls: Ignore numbers outside NR_syscalls' range
+
+commit 086ba77a6db00ed858ff07451bedee197df868c9 upstream.
+
+ARM has some private syscalls (for example, set_tls(2)) which lie
+outside the range of NR_syscalls.  If any of these are called while
+syscall tracing is being performed, out-of-bounds array access will
+occur in the ftrace and perf sys_{enter,exit} handlers.
+
+ # trace-cmd record -e raw_syscalls:* true && trace-cmd report
+ ...
+ true-653   [000]   384.675777: sys_enter:            NR 192 (0, 1000, 3, 4000022, ffffffff, 0)
+ true-653   [000]   384.675812: sys_exit:             NR 192 = 1995915264
+ true-653   [000]   384.675971: sys_enter:            NR 983045 (76f74480, 76f74000, 76f74b28, 76f74480, 76f76f74, 1)
+ true-653   [000]   384.675988: sys_exit:             NR 983045 = 0
+ ...
+
+ # trace-cmd record -e syscalls:* true
+ [   17.289329] Unable to handle kernel paging request at virtual address aaaaaace
+ [   17.289590] pgd = 9e71c000
+ [   17.289696] [aaaaaace] *pgd=00000000
+ [   17.289985] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
+ [   17.290169] Modules linked in:
+ [   17.290391] CPU: 0 PID: 704 Comm: true Not tainted 3.18.0-rc2+ #21
+ [   17.290585] task: 9f4dab00 ti: 9e710000 task.ti: 9e710000
+ [   17.290747] PC is at ftrace_syscall_enter+0x48/0x1f8
+ [   17.290866] LR is at syscall_trace_enter+0x124/0x184
+
+Fix this by ignoring out-of-NR_syscalls-bounds syscall numbers.
+
+Commit cd0980fc8add "tracing: Check invalid syscall nr while tracing syscalls"
+added the check for less than zero, but it should have also checked
+for greater than NR_syscalls.
+
+Fixes CVE-2014-7825 and CVE-2014-7826
+Upstream-Status: Backport
+
+Link: http://lkml.kernel.org/p/1414620418-29472-1-git-send-email-rabin@rab.in
+
+Fixes: cd0980fc8add "tracing: Check invalid syscall nr while tracing syscalls"
+Signed-off-by: Rabin Vincent <rabin@rab.in>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ kernel/trace/trace_syscalls.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/trace/trace_syscalls.c b/kernel/trace/trace_syscalls.c
+index 559329d..d8ce71b 100644
+--- a/kernel/trace/trace_syscalls.c
++++ b/kernel/trace/trace_syscalls.c
+@@ -312,7 +312,7 @@ static void ftrace_syscall_enter(void *data, struct pt_regs *regs, long id)
+       int size;
+ 
+       syscall_nr = trace_get_syscall_nr(current, regs);
+-      if (syscall_nr < 0)
++      if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
+               return;
+       if (!test_bit(syscall_nr, tr->enabled_enter_syscalls))
+               return;
+@@ -354,7 +354,7 @@ static void ftrace_syscall_exit(void *data, struct pt_regs *regs, long ret)
+       int syscall_nr;
+ 
+       syscall_nr = trace_get_syscall_nr(current, regs);
+-      if (syscall_nr < 0)
++      if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
+               return;
+       if (!test_bit(syscall_nr, tr->enabled_exit_syscalls))
+               return;
+@@ -557,7 +557,7 @@ static void perf_syscall_enter(void *ignore, struct pt_regs *regs, long id)
+       int size;
+ 
+       syscall_nr = trace_get_syscall_nr(current, regs);
+-      if (syscall_nr < 0)
++      if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
+               return;
+       if (!test_bit(syscall_nr, enabled_perf_enter_syscalls))
+               return;
+@@ -631,7 +631,7 @@ static void perf_syscall_exit(void *ignore, struct pt_regs *regs, long ret)
+       int size;
+ 
+       syscall_nr = trace_get_syscall_nr(current, regs);
+-      if (syscall_nr < 0)
++      if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
+               return;
+       if (!test_bit(syscall_nr, enabled_perf_exit_syscalls))
+               return;
+-- 
+1.9.1
+
diff --git a/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb b/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb

index 527daf451a87be1082100297fc6d7f52c06a301c..e7af627445df30544b4dc8e683553b10035d6347 100644 (file)
--- a/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb
+++ b/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -35,6 +35,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
      file://0002-shmem-CVE-2014-4171.patch \
      file://0003-shmem-CVE-2014-4171.patch \
      file://fs-CVE-2014-4014.patch \
+    file://tracing-CVE-2014-7825_CVE-2014-7826.patch \
  "
  SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
author	Sona Sarmadi <sona.sarmadi@enea.com>
	Mon, 2 Mar 2015 10:43:59 +0000 (11:43 +0100)
committer	Zhenhua Luo <zhenhua.luo@freescale.com>
	Fri, 6 Mar 2015 08:28:49 +0000 (16:28 +0800)
meta-fsl-ppc/recipes-kernel/linux/files/tracing-CVE-2014-7825_CVE-2014-7826.patch	[new file with mode: 0644]	patch \| blob
meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb		patch \| blob \| history