On Tue, Jun 24, 2014 at 3:51 AM, Borislav Petkov <bp@xxxxxxxxx> wrote: > On Mon, Jun 23, 2014 at 02:22:15PM -0700, Andy Lutomirski wrote: >> The bad syscall nr paths are their own incomprehensible route >> through the entry control flow. Rearrange them to work just like >> syscalls that return -ENOSYS. >> >> This fixes an OOPS in the audit code when fast-path auditing is >> enabled and sysenter gets a bad syscall nr (CVE-2014-4508). >> >> This has probably been broken since Linux 2.6.27: >> af0575bba0 i386 syscall audit fast-path >> >> Cc: stable@xxxxxxxxxxxxxxx >> Cc: Roland McGrath <roland@xxxxxxxxxx> >> Reported-by: Toralf Förster <toralf.foerster@xxxxxx> >> Signed-off-by: Andy Lutomirski <luto@xxxxxxxxxxxxxx> >> --- >> >> I realize that the syscall audit fast path and badsys code, on 32-bit >> x86 no less, is possibly one of the least fun things in the kernel to >> review, but this is still a real security bug and should get fixed :( >> >> So I'm cc-ing a bunch of people and maybe someone will review it. > > Well, AFAICS, you're rerouting execution so that the audit stuff gets > properly "unwound" before returning to userspace. Which makes sense to > me. > > Would it really work in all possible cases and isn't it causing any > other problems? > > No friggin' idea - it would need extensive hammering to confirm it is ok > IMHO. > > HTH. It confirms my sense that no one knows how to test this stuff :-/ It's pretty clear that no one has ever extensively hammered it. I wonder how much could be effectively rewritten in C. I'm thinking of redoing most of the entry work in C, but that won't help here. --Andy -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html