| Message ID | 1472203376-25543-2-git-send-email-luis.henriques@canonical.com |
|---|---|
| State | New |
| Headers | show |
On 08/26/2016 03:22 AM, Luis Henriques wrote: > From: Dave Weinstein <olorin@google.com> > > Add access checks to sys_oabi_epoll_wait() and sys_oabi_semtimedop(). > This fixes CVE-2016-3857, a local privilege escalation under > CONFIG_OABI_COMPAT. > > Cc: stable@vger.kernel.org > Reported-by: Chiachih Wu <wuchiachih@gmail.com> > Reviewed-by: Kees Cook <keescook@chromium.org> > Reviewed-by: Nicolas Pitre <nico@linaro.org> > Signed-off-by: Dave Weinstein <olorin@google.com> > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> > > CVE-2016-3857 > Signed-off-by: Luis Henriques <luis.henriques@canonical.com> > --- > arch/arm/kernel/sys_oabi-compat.c | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/arch/arm/kernel/sys_oabi-compat.c b/arch/arm/kernel/sys_oabi-compat.c > index af0aaebf4de6..32884a6006cf 100644 > --- a/arch/arm/kernel/sys_oabi-compat.c > +++ b/arch/arm/kernel/sys_oabi-compat.c > @@ -275,8 +275,12 @@ asmlinkage long sys_oabi_epoll_wait(int epfd, > mm_segment_t fs; > long ret, err, i; > > - if (maxevents <= 0 || maxevents > (INT_MAX/sizeof(struct epoll_event))) > + if (maxevents <= 0 || > + maxevents > (INT_MAX/sizeof(*kbuf)) || > + maxevents > (INT_MAX/sizeof(*events))) > return -EINVAL; > + if (!access_ok(VERIFY_WRITE, events, sizeof(*events) * maxevents)) > + return -EFAULT; > kbuf = kmalloc(sizeof(*kbuf) * maxevents, GFP_KERNEL); > if (!kbuf) > return -ENOMEM; > @@ -313,6 +317,8 @@ asmlinkage long sys_oabi_semtimedop(int semid, > > if (nsops < 1 || nsops > SEMOPM) > return -EINVAL; > + if (!access_ok(VERIFY_READ, tsops, sizeof(*tsops) * nsops)) > + return -EFAULT; > sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL); > if (!sops) > return -ENOMEM; > This is a clean cherry-pick of 7de249964f5578e67b99699c5f0b405738d820a2 ('arm: oabi compat: add missing access checks') though that is not noted in the commit log.
Tim Gardner <tim.gardner@canonical.com> writes: > On 08/26/2016 03:22 AM, Luis Henriques wrote: >> From: Dave Weinstein <olorin@google.com> >> > > This is a clean cherry-pick of 7de249964f5578e67b99699c5f0b405738d820a2 > ('arm: oabi compat: add missing access checks') though that is not noted > in the commit log. Ups! Sorry, looks like I forgot the 'x' in 'git cherry-pick' :-/ Cheers,
diff --git a/arch/arm/kernel/sys_oabi-compat.c b/arch/arm/kernel/sys_oabi-compat.c index af0aaebf4de6..32884a6006cf 100644 --- a/arch/arm/kernel/sys_oabi-compat.c +++ b/arch/arm/kernel/sys_oabi-compat.c @@ -275,8 +275,12 @@ asmlinkage long sys_oabi_epoll_wait(int epfd, mm_segment_t fs; long ret, err, i; - if (maxevents <= 0 || maxevents > (INT_MAX/sizeof(struct epoll_event))) + if (maxevents <= 0 || + maxevents > (INT_MAX/sizeof(*kbuf)) || + maxevents > (INT_MAX/sizeof(*events))) return -EINVAL; + if (!access_ok(VERIFY_WRITE, events, sizeof(*events) * maxevents)) + return -EFAULT; kbuf = kmalloc(sizeof(*kbuf) * maxevents, GFP_KERNEL); if (!kbuf) return -ENOMEM; @@ -313,6 +317,8 @@ asmlinkage long sys_oabi_semtimedop(int semid, if (nsops < 1 || nsops > SEMOPM) return -EINVAL; + if (!access_ok(VERIFY_READ, tsops, sizeof(*tsops) * nsops)) + return -EFAULT; sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL); if (!sops) return -ENOMEM;