From fda1cbf6adfc3b9f0f3bc03cfa3f28d1a3077dda Mon Sep 17 00:00:00 2001 From: André Fabian Silva Delgado Date: Sat, 1 Feb 2014 05:51:25 -0200 Subject: linux-libre-{knock,pae,xen}-3.12.9-2: fix CVE-2014-0038 --- ...rect-invalid-use-of-user-timespec-in-the-.patch | 80 ++++++++++++++++++++++ kernels/linux-libre-knock/PKGBUILD | 11 ++- ...rect-invalid-use-of-user-timespec-in-the-.patch | 80 ++++++++++++++++++++++ kernels/linux-libre-pae/PKGBUILD | 13 ++-- ...rect-invalid-use-of-user-timespec-in-the-.patch | 80 ++++++++++++++++++++++ kernels/linux-libre-xen/PKGBUILD | 13 ++-- 6 files changed, 266 insertions(+), 11 deletions(-) create mode 100644 kernels/linux-libre-knock/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch create mode 100644 kernels/linux-libre-pae/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch create mode 100644 kernels/linux-libre-xen/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch (limited to 'kernels') diff --git a/kernels/linux-libre-knock/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch b/kernels/linux-libre-knock/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch new file mode 100644 index 000000000..3f1bccc80 --- /dev/null +++ b/kernels/linux-libre-knock/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch @@ -0,0 +1,80 @@ +From 2def2ef2ae5f3990aabdbe8a755911902707d268 Mon Sep 17 00:00:00 2001 +From: PaX Team +Date: Thu, 30 Jan 2014 16:59:25 -0800 +Subject: [PATCH] x86, x32: Correct invalid use of user timespec in the kernel + +The x32 case for the recvmsg() timout handling is broken: + + asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg, + unsigned int vlen, unsigned int flags, + struct compat_timespec __user *timeout) + { + int datagrams; + struct timespec ktspec; + + if (flags & MSG_CMSG_COMPAT) + return -EINVAL; + + if (COMPAT_USE_64BIT_TIME) + return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, + flags | MSG_CMSG_COMPAT, + (struct timespec *) timeout); + ... + +The timeout pointer parameter is provided by userland (hence the __user +annotation) but for x32 syscalls it's simply cast to a kernel pointer +and is passed to __sys_recvmmsg which will eventually directly +dereference it for both reading and writing. Other callers to +__sys_recvmmsg properly copy from userland to the kernel first. + +The bug was introduced by commit ee4fa23c4bfc ("compat: Use +COMPAT_USE_64BIT_TIME in net/compat.c") and should affect all kernels +since 3.4 (and perhaps vendor kernels if they backported x32 support +along with this code). + +Note that CONFIG_X86_X32_ABI gets enabled at build time and only if +CONFIG_X86_X32 is enabled and ld can build x32 executables. + +Other uses of COMPAT_USE_64BIT_TIME seem fine. + +This addresses CVE-2014-0038. + +Signed-off-by: PaX Team +Signed-off-by: H. Peter Anvin +Cc: # v3.4+ +Signed-off-by: Linus Torvalds +--- + net/compat.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/net/compat.c b/net/compat.c +index dd32e34..f50161f 100644 +--- a/net/compat.c ++++ b/net/compat.c +@@ -780,21 +780,16 @@ asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg, + if (flags & MSG_CMSG_COMPAT) + return -EINVAL; + +- if (COMPAT_USE_64BIT_TIME) +- return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, +- flags | MSG_CMSG_COMPAT, +- (struct timespec *) timeout); +- + if (timeout == NULL) + return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, + flags | MSG_CMSG_COMPAT, NULL); + +- if (get_compat_timespec(&ktspec, timeout)) ++ if (compat_get_timespec(&ktspec, timeout)) + return -EFAULT; + + datagrams = __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, + flags | MSG_CMSG_COMPAT, &ktspec); +- if (datagrams > 0 && put_compat_timespec(&ktspec, timeout)) ++ if (datagrams > 0 && compat_put_timespec(&ktspec, timeout)) + datagrams = -EFAULT; + + return datagrams; +-- +1.8.5.3 + diff --git a/kernels/linux-libre-knock/PKGBUILD b/kernels/linux-libre-knock/PKGBUILD index 41758cecc..0ca9167b8 100644 --- a/kernels/linux-libre-knock/PKGBUILD +++ b/kernels/linux-libre-knock/PKGBUILD @@ -1,4 +1,4 @@ -# $Id: PKGBUILD 204729 2014-01-26 08:54:46Z thomas $ +# $Id: PKGBUILD 204911 2014-01-31 09:59:51Z bluewind $ # Maintainer: Tobias Powalowski # Maintainer: Thomas Baechler # Maintainer (Parabola): André Silva @@ -13,7 +13,7 @@ _basekernel=3.12 _sublevel=9 _knockpatchver=${_basekernel}.4 pkgver=${_basekernel}.${_sublevel} -pkgrel=1 +pkgrel=2 _lxopkgver=${_basekernel}.9 # nearly always the same as pkgver arch=('i686' 'x86_64' 'mips64el') url="http://linux-libre.fsfla.org/" @@ -38,7 +38,8 @@ source=("http://linux-libre.fsfla.org/pub/linux-libre/releases/${_basekernel}-gn 'rpc_pipe-remove-the-clntXX-dir-if-creating-the-pipe-fails.patch' 'sunrpc-add-an-info-file-for-the-dummy-gssd-pipe.patch' 'rpc_pipe-fix-cleanup-of-dummy-gssd-directory-when-notification-fails.patch' - "http://www.linux-libre.fsfla.org/pub/linux-libre/lemote/gnewsense/pool/debuginfo/linux-patches-${_lxopkgver}-gnu_0loongsonlibre_mipsel.tar.bz2") + '0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch' + "http://www.linux-libre.fsfla.org/pub/linux-libre/lemote/gnewsense/pool/debuginfo/linux-patches-${_lxopkgver}-gnu_0loongsonlibre_mipsel.tar.xz") md5sums=('254f59707b6676b59ce5ca5c3c698319' '348975e36e4dd27f5d8fc50e92de8922' '387673a6510de1e1bce8188fc7a72bd1' @@ -56,6 +57,7 @@ md5sums=('254f59707b6676b59ce5ca5c3c698319' 'cec0bb8981936eab2943b2009b7a6fff' '88d9cddf9e0050a76ec4674f264fb2a1' 'cb9016630212ef07b168892fbcfd4e5d' + '336d2c4afd7ee5f2bdf0dcb1a54df4b2' '9cdff00e5aa53962869857d64a1ccf01') if [ "$CARCH" != "mips64el" ]; then # don't use the Loongson-specific patches on non-mips64el arches. @@ -105,6 +107,9 @@ prepare() { patch -Np1 -i "${srcdir}/rpc_pipe-fix-cleanup-of-dummy-gssd-directory-when-notification-fails.patch" + # Fix CVE-2014-0038 + patch -p1 -i "${srcdir}/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch" + if [ "$CARCH" == "mips64el" ]; then sed -i "s|^EXTRAVERSION.*|EXTRAVERSION =-libre-knock|" Makefile sed -r "s|^( SUBLEVEL = ).*|\1$_sublevel|" \ diff --git a/kernels/linux-libre-pae/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch b/kernels/linux-libre-pae/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch new file mode 100644 index 000000000..3f1bccc80 --- /dev/null +++ b/kernels/linux-libre-pae/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch @@ -0,0 +1,80 @@ +From 2def2ef2ae5f3990aabdbe8a755911902707d268 Mon Sep 17 00:00:00 2001 +From: PaX Team +Date: Thu, 30 Jan 2014 16:59:25 -0800 +Subject: [PATCH] x86, x32: Correct invalid use of user timespec in the kernel + +The x32 case for the recvmsg() timout handling is broken: + + asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg, + unsigned int vlen, unsigned int flags, + struct compat_timespec __user *timeout) + { + int datagrams; + struct timespec ktspec; + + if (flags & MSG_CMSG_COMPAT) + return -EINVAL; + + if (COMPAT_USE_64BIT_TIME) + return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, + flags | MSG_CMSG_COMPAT, + (struct timespec *) timeout); + ... + +The timeout pointer parameter is provided by userland (hence the __user +annotation) but for x32 syscalls it's simply cast to a kernel pointer +and is passed to __sys_recvmmsg which will eventually directly +dereference it for both reading and writing. Other callers to +__sys_recvmmsg properly copy from userland to the kernel first. + +The bug was introduced by commit ee4fa23c4bfc ("compat: Use +COMPAT_USE_64BIT_TIME in net/compat.c") and should affect all kernels +since 3.4 (and perhaps vendor kernels if they backported x32 support +along with this code). + +Note that CONFIG_X86_X32_ABI gets enabled at build time and only if +CONFIG_X86_X32 is enabled and ld can build x32 executables. + +Other uses of COMPAT_USE_64BIT_TIME seem fine. + +This addresses CVE-2014-0038. + +Signed-off-by: PaX Team +Signed-off-by: H. Peter Anvin +Cc: # v3.4+ +Signed-off-by: Linus Torvalds +--- + net/compat.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/net/compat.c b/net/compat.c +index dd32e34..f50161f 100644 +--- a/net/compat.c ++++ b/net/compat.c +@@ -780,21 +780,16 @@ asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg, + if (flags & MSG_CMSG_COMPAT) + return -EINVAL; + +- if (COMPAT_USE_64BIT_TIME) +- return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, +- flags | MSG_CMSG_COMPAT, +- (struct timespec *) timeout); +- + if (timeout == NULL) + return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, + flags | MSG_CMSG_COMPAT, NULL); + +- if (get_compat_timespec(&ktspec, timeout)) ++ if (compat_get_timespec(&ktspec, timeout)) + return -EFAULT; + + datagrams = __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, + flags | MSG_CMSG_COMPAT, &ktspec); +- if (datagrams > 0 && put_compat_timespec(&ktspec, timeout)) ++ if (datagrams > 0 && compat_put_timespec(&ktspec, timeout)) + datagrams = -EFAULT; + + return datagrams; +-- +1.8.5.3 + diff --git a/kernels/linux-libre-pae/PKGBUILD b/kernels/linux-libre-pae/PKGBUILD index 858b40cc1..0874a651a 100644 --- a/kernels/linux-libre-pae/PKGBUILD +++ b/kernels/linux-libre-pae/PKGBUILD @@ -1,4 +1,4 @@ -# $Id: PKGBUILD 204729 2014-01-26 08:54:46Z thomas $ +# $Id: PKGBUILD 204911 2014-01-31 09:59:51Z bluewind $ # Contributor: Tobias Powalowski # Contributor: Thomas Baechler # Maintainer (Parabola): André Silva @@ -7,7 +7,7 @@ pkgbase=linux-libre-pae # Build stock -LIBRE-PAE kernel #pkgbase=linux-libre-custom # Build kernel with a different name _basekernel=3.12 pkgver=${_basekernel}.9 -pkgrel=1 +pkgrel=2 arch=('i686') url="http://linux-libre.fsfla.org/" license=('GPL2') @@ -27,7 +27,8 @@ source=("http://linux-libre.fsfla.org/pub/linux-libre/releases/${_basekernel}-gn 'nfs-check-gssd-running-before-krb5i-auth.patch' 'rpc_pipe-remove-the-clntXX-dir-if-creating-the-pipe-fails.patch' 'sunrpc-add-an-info-file-for-the-dummy-gssd-pipe.patch' - 'rpc_pipe-fix-cleanup-of-dummy-gssd-directory-when-notification-fails.patch') + 'rpc_pipe-fix-cleanup-of-dummy-gssd-directory-when-notification-fails.patch' + '0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch') md5sums=('254f59707b6676b59ce5ca5c3c698319' '348975e36e4dd27f5d8fc50e92de8922' '2c07956936879d8729ad68d997a79bbf' @@ -40,7 +41,8 @@ md5sums=('254f59707b6676b59ce5ca5c3c698319' '88eef9d3b5012ef7e82af1af8cc4e517' 'cec0bb8981936eab2943b2009b7a6fff' '88d9cddf9e0050a76ec4674f264fb2a1' - 'cb9016630212ef07b168892fbcfd4e5d') + 'cb9016630212ef07b168892fbcfd4e5d' + '336d2c4afd7ee5f2bdf0dcb1a54df4b2') _kernelname=${pkgbase#linux-libre} _localversionname=-LIBRE-PAE @@ -81,6 +83,9 @@ prepare() { patch -Np1 -i "${srcdir}/rpc_pipe-fix-cleanup-of-dummy-gssd-directory-when-notification-fails.patch" + # Fix CVE-2014-0038 + patch -p1 -i "${srcdir}/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch" + cat "${srcdir}/config" > ./.config # simpler if [ "${_kernelname}" != "" ]; then diff --git a/kernels/linux-libre-xen/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch b/kernels/linux-libre-xen/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch new file mode 100644 index 000000000..3f1bccc80 --- /dev/null +++ b/kernels/linux-libre-xen/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch @@ -0,0 +1,80 @@ +From 2def2ef2ae5f3990aabdbe8a755911902707d268 Mon Sep 17 00:00:00 2001 +From: PaX Team +Date: Thu, 30 Jan 2014 16:59:25 -0800 +Subject: [PATCH] x86, x32: Correct invalid use of user timespec in the kernel + +The x32 case for the recvmsg() timout handling is broken: + + asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg, + unsigned int vlen, unsigned int flags, + struct compat_timespec __user *timeout) + { + int datagrams; + struct timespec ktspec; + + if (flags & MSG_CMSG_COMPAT) + return -EINVAL; + + if (COMPAT_USE_64BIT_TIME) + return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, + flags | MSG_CMSG_COMPAT, + (struct timespec *) timeout); + ... + +The timeout pointer parameter is provided by userland (hence the __user +annotation) but for x32 syscalls it's simply cast to a kernel pointer +and is passed to __sys_recvmmsg which will eventually directly +dereference it for both reading and writing. Other callers to +__sys_recvmmsg properly copy from userland to the kernel first. + +The bug was introduced by commit ee4fa23c4bfc ("compat: Use +COMPAT_USE_64BIT_TIME in net/compat.c") and should affect all kernels +since 3.4 (and perhaps vendor kernels if they backported x32 support +along with this code). + +Note that CONFIG_X86_X32_ABI gets enabled at build time and only if +CONFIG_X86_X32 is enabled and ld can build x32 executables. + +Other uses of COMPAT_USE_64BIT_TIME seem fine. + +This addresses CVE-2014-0038. + +Signed-off-by: PaX Team +Signed-off-by: H. Peter Anvin +Cc: # v3.4+ +Signed-off-by: Linus Torvalds +--- + net/compat.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/net/compat.c b/net/compat.c +index dd32e34..f50161f 100644 +--- a/net/compat.c ++++ b/net/compat.c +@@ -780,21 +780,16 @@ asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg, + if (flags & MSG_CMSG_COMPAT) + return -EINVAL; + +- if (COMPAT_USE_64BIT_TIME) +- return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, +- flags | MSG_CMSG_COMPAT, +- (struct timespec *) timeout); +- + if (timeout == NULL) + return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, + flags | MSG_CMSG_COMPAT, NULL); + +- if (get_compat_timespec(&ktspec, timeout)) ++ if (compat_get_timespec(&ktspec, timeout)) + return -EFAULT; + + datagrams = __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, + flags | MSG_CMSG_COMPAT, &ktspec); +- if (datagrams > 0 && put_compat_timespec(&ktspec, timeout)) ++ if (datagrams > 0 && compat_put_timespec(&ktspec, timeout)) + datagrams = -EFAULT; + + return datagrams; +-- +1.8.5.3 + diff --git a/kernels/linux-libre-xen/PKGBUILD b/kernels/linux-libre-xen/PKGBUILD index 63df6e96a..0422e563d 100644 --- a/kernels/linux-libre-xen/PKGBUILD +++ b/kernels/linux-libre-xen/PKGBUILD @@ -1,4 +1,4 @@ -# $Id: PKGBUILD 204729 2014-01-26 08:54:46Z thomas $ +# $Id: PKGBUILD 204911 2014-01-31 09:59:51Z bluewind $ # Contributor: Tobias Powalowski # Contributor: Thomas Baechler # Maintainer (Parabola): André Silva @@ -7,7 +7,7 @@ pkgbase=linux-libre-xen # Build stock -LIBRE-XEN kernel #pkgbase=linux-libre-custom # Build kernel with a different name _basekernel=3.12 pkgver=${_basekernel}.9 -pkgrel=1 +pkgrel=2 arch=('i686') url="http://linux-libre.fsfla.org/" license=('GPL2') @@ -27,7 +27,8 @@ source=("http://linux-libre.fsfla.org/pub/linux-libre/releases/${_basekernel}-gn 'nfs-check-gssd-running-before-krb5i-auth.patch' 'rpc_pipe-remove-the-clntXX-dir-if-creating-the-pipe-fails.patch' 'sunrpc-add-an-info-file-for-the-dummy-gssd-pipe.patch' - 'rpc_pipe-fix-cleanup-of-dummy-gssd-directory-when-notification-fails.patch') + 'rpc_pipe-fix-cleanup-of-dummy-gssd-directory-when-notification-fails.patch' + '0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch') md5sums=('254f59707b6676b59ce5ca5c3c698319' '348975e36e4dd27f5d8fc50e92de8922' '670682e633d1b785c73581307da7eb9c' @@ -40,7 +41,8 @@ md5sums=('254f59707b6676b59ce5ca5c3c698319' '88eef9d3b5012ef7e82af1af8cc4e517' 'cec0bb8981936eab2943b2009b7a6fff' '88d9cddf9e0050a76ec4674f264fb2a1' - 'cb9016630212ef07b168892fbcfd4e5d') + 'cb9016630212ef07b168892fbcfd4e5d' + '336d2c4afd7ee5f2bdf0dcb1a54df4b2') _kernelname=${pkgbase#linux-libre} _localversionname=-LIBRE-XEN @@ -81,6 +83,9 @@ prepare() { patch -Np1 -i "${srcdir}/rpc_pipe-fix-cleanup-of-dummy-gssd-directory-when-notification-fails.patch" + # Fix CVE-2014-0038 + patch -p1 -i "${srcdir}/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch" + cat "${srcdir}/config" > ./.config # simpler if [ "${_kernelname}" != "" ]; then -- cgit v1.2.3-54-g00ecf