From 9ea68f9235142ce90cba64262d8d6968eddbf628 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Fabian=20Silva=20Delgado?= Date: Sat, 1 Feb 2014 05:30:12 -0200 Subject: linux-libre-3.12.9-2: fix CVE-2014-0038 --- ...rect-invalid-use-of-user-timespec-in-the-.patch | 80 ++++++++++++++++++++++ libre/linux-libre/PKGBUILD | 11 ++- 2 files changed, 88 insertions(+), 3 deletions(-) create mode 100644 libre/linux-libre/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch (limited to 'libre') diff --git a/libre/linux-libre/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch b/libre/linux-libre/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch new file mode 100644 index 000000000..3f1bccc80 --- /dev/null +++ b/libre/linux-libre/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch @@ -0,0 +1,80 @@ +From 2def2ef2ae5f3990aabdbe8a755911902707d268 Mon Sep 17 00:00:00 2001 +From: PaX Team +Date: Thu, 30 Jan 2014 16:59:25 -0800 +Subject: [PATCH] x86, x32: Correct invalid use of user timespec in the kernel + +The x32 case for the recvmsg() timout handling is broken: + + asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg, + unsigned int vlen, unsigned int flags, + struct compat_timespec __user *timeout) + { + int datagrams; + struct timespec ktspec; + + if (flags & MSG_CMSG_COMPAT) + return -EINVAL; + + if (COMPAT_USE_64BIT_TIME) + return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, + flags | MSG_CMSG_COMPAT, + (struct timespec *) timeout); + ... + +The timeout pointer parameter is provided by userland (hence the __user +annotation) but for x32 syscalls it's simply cast to a kernel pointer +and is passed to __sys_recvmmsg which will eventually directly +dereference it for both reading and writing. Other callers to +__sys_recvmmsg properly copy from userland to the kernel first. + +The bug was introduced by commit ee4fa23c4bfc ("compat: Use +COMPAT_USE_64BIT_TIME in net/compat.c") and should affect all kernels +since 3.4 (and perhaps vendor kernels if they backported x32 support +along with this code). + +Note that CONFIG_X86_X32_ABI gets enabled at build time and only if +CONFIG_X86_X32 is enabled and ld can build x32 executables. + +Other uses of COMPAT_USE_64BIT_TIME seem fine. + +This addresses CVE-2014-0038. + +Signed-off-by: PaX Team +Signed-off-by: H. Peter Anvin +Cc: # v3.4+ +Signed-off-by: Linus Torvalds +--- + net/compat.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/net/compat.c b/net/compat.c +index dd32e34..f50161f 100644 +--- a/net/compat.c ++++ b/net/compat.c +@@ -780,21 +780,16 @@ asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg, + if (flags & MSG_CMSG_COMPAT) + return -EINVAL; + +- if (COMPAT_USE_64BIT_TIME) +- return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, +- flags | MSG_CMSG_COMPAT, +- (struct timespec *) timeout); +- + if (timeout == NULL) + return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, + flags | MSG_CMSG_COMPAT, NULL); + +- if (get_compat_timespec(&ktspec, timeout)) ++ if (compat_get_timespec(&ktspec, timeout)) + return -EFAULT; + + datagrams = __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, + flags | MSG_CMSG_COMPAT, &ktspec); +- if (datagrams > 0 && put_compat_timespec(&ktspec, timeout)) ++ if (datagrams > 0 && compat_put_timespec(&ktspec, timeout)) + datagrams = -EFAULT; + + return datagrams; +-- +1.8.5.3 + diff --git a/libre/linux-libre/PKGBUILD b/libre/linux-libre/PKGBUILD index 5b4d785d4..b744bb9d5 100644 --- a/libre/linux-libre/PKGBUILD +++ b/libre/linux-libre/PKGBUILD @@ -1,4 +1,4 @@ -# $Id: PKGBUILD 204729 2014-01-26 08:54:46Z thomas $ +# $Id: PKGBUILD 204911 2014-01-31 09:59:51Z bluewind $ # Maintainer: Tobias Powalowski # Maintainer: Thomas Baechler # Maintainer (Parabola): André Silva @@ -12,7 +12,7 @@ pkgbase=linux-libre # Build stock -LIBRE kernel _basekernel=3.12 _sublevel=9 pkgver=${_basekernel}.${_sublevel} -pkgrel=1 +pkgrel=2 _lxopkgver=${_basekernel}.9 # nearly always the same as pkgver arch=('i686' 'x86_64' 'mips64el') url="http://linux-libre.fsfla.org/" @@ -36,7 +36,8 @@ source=("http://linux-libre.fsfla.org/pub/linux-libre/releases/${_basekernel}-gn 'rpc_pipe-remove-the-clntXX-dir-if-creating-the-pipe-fails.patch' 'sunrpc-add-an-info-file-for-the-dummy-gssd-pipe.patch' 'rpc_pipe-fix-cleanup-of-dummy-gssd-directory-when-notification-fails.patch' - "http://www.linux-libre.fsfla.org/pub/linux-libre/lemote/gnewsense/pool/debuginfo/linux-patches-${_lxopkgver}-gnu_0loongsonlibre_mipsel.tar.bz2") + '0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch' + "http://www.linux-libre.fsfla.org/pub/linux-libre/lemote/gnewsense/pool/debuginfo/linux-patches-${_lxopkgver}-gnu_0loongsonlibre_mipsel.tar.xz") md5sums=('254f59707b6676b59ce5ca5c3c698319' '348975e36e4dd27f5d8fc50e92de8922' '568ce15a9df133072489cbac8c4fefb3' @@ -53,6 +54,7 @@ md5sums=('254f59707b6676b59ce5ca5c3c698319' 'cec0bb8981936eab2943b2009b7a6fff' '88d9cddf9e0050a76ec4674f264fb2a1' 'cb9016630212ef07b168892fbcfd4e5d' + '336d2c4afd7ee5f2bdf0dcb1a54df4b2' '9cdff00e5aa53962869857d64a1ccf01') if [ "$CARCH" != "mips64el" ]; then # don't use the Loongson-specific patches on non-mips64el arches. @@ -99,6 +101,9 @@ prepare() { patch -Np1 -i "${srcdir}/rpc_pipe-fix-cleanup-of-dummy-gssd-directory-when-notification-fails.patch" + # Fix CVE-2014-0038 + patch -p1 -i "${srcdir}/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch" + if [ "$CARCH" == "mips64el" ]; then sed -i "s|^EXTRAVERSION.*|EXTRAVERSION =-libre|" Makefile sed -r "s|^( SUBLEVEL = ).*|\1$_sublevel|" \ -- cgit v1.2.3-2-g168b