diff --git a/debian/changelog b/debian/changelog index 1a3153c91..5458a015d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -53,6 +53,7 @@ linux (3.14.9-1) UNRELEASED; urgency=medium - bugfix, handling an error in opening a FIFO - propagate aufs file references to new vmas created by remap_file_pages() * linux-image: Make initramfs support unconditional + * [x86] x86_32, entry: Do syscall exit work on badsys (CVE-2014-4508) [ Aurelien Jarno ] * [arm64] Enable COMPAT to support 32-bit binaries. diff --git a/debian/patches/bugfix/x86/x86_32-entry-Do-syscall-exit-work-on-badsys-CVE-2014.patch b/debian/patches/bugfix/x86/x86_32-entry-Do-syscall-exit-work-on-badsys-CVE-2014.patch new file mode 100644 index 000000000..a533f48f4 --- /dev/null +++ b/debian/patches/bugfix/x86/x86_32-entry-Do-syscall-exit-work-on-badsys-CVE-2014.patch @@ -0,0 +1,56 @@ +From: Andy Lutomirski +Date: Mon, 23 Jun 2014 14:22:15 -0700 +Subject: x86_32, entry: Do syscall exit work on badsys (CVE-2014-4508) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Origin: https://git.kernel.org/linus/554086d85e71f30abe46fc014fea31929a7c6a8a + +The bad syscall nr paths are their own incomprehensible route +through the entry control flow. Rearrange them to work just like +syscalls that return -ENOSYS. + +This fixes an OOPS in the audit code when fast-path auditing is +enabled and sysenter gets a bad syscall nr (CVE-2014-4508). + +This has probably been broken since Linux 2.6.27: +af0575bba0 i386 syscall audit fast-path + +Cc: stable@vger.kernel.org +Cc: Roland McGrath +Reported-by: Toralf Förster +Signed-off-by: Andy Lutomirski +Link: http://lkml.kernel.org/r/e09c499eade6fc321266dd6b54da7beb28d6991c.1403558229.git.luto@amacapital.net +Signed-off-by: H. Peter Anvin +--- + arch/x86/kernel/entry_32.S | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/entry_32.S ++++ b/arch/x86/kernel/entry_32.S +@@ -431,9 +431,10 @@ sysenter_past_esp: + jnz sysenter_audit + sysenter_do_call: + cmpl $(NR_syscalls), %eax +- jae syscall_badsys ++ jae sysenter_badsys + call *sys_call_table(,%eax,4) + movl %eax,PT_EAX(%esp) ++sysenter_after_call: + LOCKDEP_SYS_EXIT + DISABLE_INTERRUPTS(CLBR_ANY) + TRACE_IRQS_OFF +@@ -688,7 +689,12 @@ END(syscall_fault) + + syscall_badsys: + movl $-ENOSYS,PT_EAX(%esp) +- jmp resume_userspace ++ jmp syscall_exit ++END(syscall_badsys) ++ ++sysenter_badsys: ++ movl $-ENOSYS,PT_EAX(%esp) ++ jmp sysenter_after_call + END(syscall_badsys) + CFI_ENDPROC + /* diff --git a/debian/patches/series b/debian/patches/series index fd0d28c2a..024360ce6 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -92,3 +92,4 @@ debian/dma-avoid-abi-change-in-3.14.6.patch debian/vfs-avoid-abi-change-for-cve-2014-4014.patch bugfix/all/SCSI-Fix-spurious-request-sense-in-error-handling.patch debian/alsa-avoid-abi-change-for-cve-2014-4652-fix.patch +bugfix/x86/x86_32-entry-Do-syscall-exit-work-on-badsys-CVE-2014.patch