[linux] 02/04: [arm*] oabi compat: add missing access checks (CVE-2016-3857)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Tue Aug 30 23:46:41 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch wheezy-security
in repository linux.
commit 92713f2758d802fa1febdcdd8877dde47d35147b
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Tue Aug 30 13:00:01 2016 +0100
[arm*] oabi compat: add missing access checks (CVE-2016-3857)
---
debian/changelog | 1 +
...arm-oabi-compat-add-missing-access-checks.patch | 44 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 46 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 00667c6..0458d01 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -11,6 +11,7 @@ linux (3.2.81-2) UNRELEASED; urgency=medium
- [x86] Revert: KVM: lapic: mark LAPIC timer handler as irqsafe
- trace: correct off by one while recording the trace-event
- [x86] Fix an RT MCE crash
+ * [arm*] oabi compat: add missing access checks (CVE-2016-3857)
-- Ben Hutchings <ben at decadent.org.uk> Fri, 17 Jun 2016 23:35:41 +0100
diff --git a/debian/patches/bugfix/arm/arm-oabi-compat-add-missing-access-checks.patch b/debian/patches/bugfix/arm/arm-oabi-compat-add-missing-access-checks.patch
new file mode 100644
index 0000000..4aef6ef
--- /dev/null
+++ b/debian/patches/bugfix/arm/arm-oabi-compat-add-missing-access-checks.patch
@@ -0,0 +1,44 @@
+From: Dave Weinstein <olorin at google.com>
+Date: Thu, 28 Jul 2016 11:55:41 -0700
+Subject: arm: oabi compat: add missing access checks
+Origin: https://git.kernel.org/linus/7de249964f5578e67b99699c5f0b405738d820a2
+
+Add access checks to sys_oabi_epoll_wait() and sys_oabi_semtimedop().
+This fixes CVE-2016-3857, a local privilege escalation under
+CONFIG_OABI_COMPAT.
+
+Cc: stable at vger.kernel.org
+Reported-by: Chiachih Wu <wuchiachih at gmail.com>
+Reviewed-by: Kees Cook <keescook at chromium.org>
+Reviewed-by: Nicolas Pitre <nico at linaro.org>
+Signed-off-by: Dave Weinstein <olorin at google.com>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ arch/arm/kernel/sys_oabi-compat.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/arch/arm/kernel/sys_oabi-compat.c
++++ b/arch/arm/kernel/sys_oabi-compat.c
+@@ -275,8 +275,12 @@ asmlinkage long sys_oabi_epoll_wait(int
+ mm_segment_t fs;
+ long ret, err, i;
+
+- if (maxevents <= 0 || maxevents > (INT_MAX/sizeof(struct epoll_event)))
++ if (maxevents <= 0 ||
++ maxevents > (INT_MAX/sizeof(*kbuf)) ||
++ maxevents > (INT_MAX/sizeof(*events)))
+ return -EINVAL;
++ if (!access_ok(VERIFY_WRITE, events, sizeof(*events) * maxevents))
++ return -EFAULT;
+ kbuf = kmalloc(sizeof(*kbuf) * maxevents, GFP_KERNEL);
+ if (!kbuf)
+ return -ENOMEM;
+@@ -313,6 +317,8 @@ asmlinkage long sys_oabi_semtimedop(int
+
+ if (nsops < 1 || nsops > SEMOPM)
+ return -EINVAL;
++ if (!access_ok(VERIFY_READ, tsops, sizeof(*tsops) * nsops))
++ return -EFAULT;
+ sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL);
+ if (!sops)
+ return -ENOMEM;
diff --git a/debian/patches/series b/debian/patches/series
index 5f265fe..54c2c92 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1118,6 +1118,7 @@ bugfix/all/keys-potential-uninitialized-variable.patch
bugfix/all/hid-hiddev-validate-num_values-for-hidiocgusages-hid.patch
bugfix/all/tcp-make-challenge-acks-less-predictable.patch
bugfix/all/audit-fix-a-double-fetch-in-audit_log_single_execve_arg.patch
+bugfix/arm/arm-oabi-compat-add-missing-access-checks.patch
# ABI maintenance
debian/perf-hide-abi-change-in-3.2.30.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list