Re: [PATCH] x86_32,entry: Do syscall exit work on badsys (CVE-2014-4508)

[Andy Lutomirski]

On Tue, Jun 24, 2014 at 3:51 AM, Borislav Petkov <bp@xxxxxxxxx> wrote:
> On Mon, Jun 23, 2014 at 02:22:15PM -0700, Andy Lutomirski wrote:
>> The bad syscall nr paths are their own incomprehensible route
>> through the entry control flow.  Rearrange them to work just like
>> syscalls that return -ENOSYS.
>>
>> This fixes an OOPS in the audit code when fast-path auditing is
>> enabled and sysenter gets a bad syscall nr (CVE-2014-4508).
>>
>> This has probably been broken since Linux 2.6.27:
>> af0575bba0 i386 syscall audit fast-path
>>
>> Cc: stable@xxxxxxxxxxxxxxx
>> Cc: Roland McGrath <roland@xxxxxxxxxx>
>> Reported-by: Toralf FÃrster <toralf.foerster@xxxxxx>
>> Signed-off-by: Andy Lutomirski <luto@xxxxxxxxxxxxxx>
>> ---
>>
>> I realize that the syscall audit fast path and badsys code, on 32-bit
>> x86 no less, is possibly one of the least fun things in the kernel to
>> review, but this is still a real security bug and should get fixed :(
>>
>> So I'm cc-ing a bunch of people and maybe someone will review it.
>
> Well, AFAICS, you're rerouting execution so that the audit stuff gets
> properly "unwound" before returning to userspace. Which makes sense to
> me.
>
> Would it really work in all possible cases and isn't it causing any
> other problems?
>
> No friggin' idea - it would need extensive hammering to confirm it is ok
> IMHO.
>
> HTH.

It confirms my sense that no one knows how to test this stuff :-/
It's pretty clear that no one has ever extensively hammered it.

I wonder how much could be effectively rewritten in C.  I'm thinking
of redoing most of the entry work in C, but that won't help here.

--Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/