2014-06-24 18:01:41

by Benjamin LaHaise

[permalink] [raw]
Subject: [PATCH 0/2] aio: fixes for kernel memory disclosure in aio read events

Please pull the following 2 fixes from my aio-fixes git tree at
git://git.kvack.org/~bcrl/aio-fixes.git . These fix a kernel memory
disclosure issue (arbitrary kmap() & copy_to_user()) revealed in
CVE-2014-0206 by changes that were introduced in v3.10.

Benjamin LaHaise (2):
aio: fix aio request leak when events are reaped by userspace
aio: fix kernel memory disclosure in io_getevents() introduced in
v3.10

fs/aio.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

--
1.8.2.1


--
"Thought is the essence of where you are now."


2014-06-24 18:01:57

by Benjamin LaHaise

[permalink] [raw]
Subject: [PATCH 1/2] aio: fix aio request leak when events are reaped by userspace

The aio cleanups and optimizations by kmo that were merged into the 3.10
tree added a regression for userspace event reaping. Specifically, the
reference counts are not decremented if the event is reaped in userspace,
leading to the application being unable to submit further aio requests.
This patch applies to 3.12+. A separate backport is required for 3.10/3.11.
This issue was uncovered as part of CVE-2014-0206.

Signed-off-by: Benjamin LaHaise <[email protected]>
Cc: [email protected]
Cc: Kent Overstreet <[email protected]>
Cc: Mateusz Guzik <[email protected]>
Cc: Petr Matousek <[email protected]>
---
fs/aio.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/fs/aio.c b/fs/aio.c
index 4f078c0..6a9c7e4 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -1021,6 +1021,7 @@ void aio_complete(struct kiocb *iocb, long res, long res2)

/* everything turned out well, dispose of the aiocb. */
kiocb_free(iocb);
+ put_reqs_available(ctx, 1);

/*
* We have to order our ring_info tail store above and test
@@ -1100,8 +1101,6 @@ static long aio_read_events_ring(struct kioctx *ctx,
flush_dcache_page(ctx->ring_pages[0]);

pr_debug("%li h%u t%u\n", ret, head, tail);
-
- put_reqs_available(ctx, ret);
out:
mutex_unlock(&ctx->ring_lock);

--
1.8.2.1


--
"Thought is the essence of where you are now."

2014-06-24 18:02:20

by Benjamin LaHaise

[permalink] [raw]
Subject: [PATCH 2/2] aio: fix kernel memory disclosure in io_getevents() introduced in v3.10

A kernel memory disclosure was introduced in aio_read_events_ring() in v3.10
by commit a31ad380bed817aa25f8830ad23e1a0480fef797. The changes made to
aio_read_events_ring() failed to correctly limit the index into
ctx->ring_pages[], allowing an attacked to cause the subsequent kmap() of
an arbitrary page with a copy_to_user() to copy the contents into userspace.
This vulnerability has been assigned CVE-2014-0206. Thanks to Mateusz and
Petr for disclosing this issue.

This patch applies to v3.12+. A separate backport is needed for 3.10/3.11.

Signed-off-by: Benjamin LaHaise <[email protected]>
Cc: Mateusz Guzik <[email protected]>
Cc: Petr Matousek <[email protected]>
Cc: Kent Overstreet <[email protected]>
Cc: Jeff Moyer <[email protected]>
Cc: [email protected]
---
fs/aio.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/fs/aio.c b/fs/aio.c
index 6a9c7e4..955947e 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -1063,6 +1063,9 @@ static long aio_read_events_ring(struct kioctx *ctx,
if (head == tail)
goto out;

+ head %= ctx->nr_events;
+ tail %= ctx->nr_events;
+
while (ret < nr) {
long avail;
struct io_event *ev;
--
1.8.2.1


--
"Thought is the essence of where you are now."

2014-06-24 18:20:12

by Jeff Moyer

[permalink] [raw]
Subject: Re: [PATCH 1/2] aio: fix aio request leak when events are reaped by userspace

Benjamin LaHaise <[email protected]> writes:

> The aio cleanups and optimizations by kmo that were merged into the 3.10
> tree added a regression for userspace event reaping. Specifically, the
> reference counts are not decremented if the event is reaped in userspace,
> leading to the application being unable to submit further aio requests.
> This patch applies to 3.12+. A separate backport is required for 3.10/3.11.
> This issue was uncovered as part of CVE-2014-0206.
>
> Signed-off-by: Benjamin LaHaise <[email protected]>

Reviewed-by: Jeff Moyer <[email protected]>

2014-06-24 18:24:01

by Jeff Moyer

[permalink] [raw]
Subject: Re: [PATCH 2/2] aio: fix kernel memory disclosure in io_getevents() introduced in v3.10

Benjamin LaHaise <[email protected]> writes:

> A kernel memory disclosure was introduced in aio_read_events_ring() in v3.10
> by commit a31ad380bed817aa25f8830ad23e1a0480fef797. The changes made to
> aio_read_events_ring() failed to correctly limit the index into
> ctx->ring_pages[], allowing an attacked to cause the subsequent kmap() of
> an arbitrary page with a copy_to_user() to copy the contents into userspace.
> This vulnerability has been assigned CVE-2014-0206. Thanks to Mateusz and
> Petr for disclosing this issue.
>
> This patch applies to v3.12+. A separate backport is needed for 3.10/3.11.

Note that a 3.10 backport will need to remove this line from free_ioctx
as well:
atomic_sub(avail, &ctx->reqs_active);

Reviewed-by: Jeff Moyer <[email protected]>

2014-06-24 18:39:21

by Benjamin LaHaise

[permalink] [raw]
Subject: Re: [PATCH 2/2] aio: fix kernel memory disclosure in io_getevents() introduced in v3.10

On Tue, Jun 24, 2014 at 02:23:20PM -0400, Jeff Moyer wrote:
> Benjamin LaHaise <[email protected]> writes:
>
> > A kernel memory disclosure was introduced in aio_read_events_ring() in v3.10
> > by commit a31ad380bed817aa25f8830ad23e1a0480fef797. The changes made to
> > aio_read_events_ring() failed to correctly limit the index into
> > ctx->ring_pages[], allowing an attacked to cause the subsequent kmap() of
> > an arbitrary page with a copy_to_user() to copy the contents into userspace.
> > This vulnerability has been assigned CVE-2014-0206. Thanks to Mateusz and
> > Petr for disclosing this issue.
> >
> > This patch applies to v3.12+. A separate backport is needed for 3.10/3.11.
>
> Note that a 3.10 backport will need to remove this line from free_ioctx
> as well:
> atomic_sub(avail, &ctx->reqs_active);
>
> Reviewed-by: Jeff Moyer <[email protected]>

Can you post the backport for 3.10 so the -stable folks have something they
can use that was tested? Cheers,

-ben
--
"Thought is the essence of where you are now."

2014-06-24 19:21:51

by Jeff Moyer

[permalink] [raw]
Subject: Re: [PATCH 2/2] aio: fix kernel memory disclosure in io_getevents() introduced in v3.10

Benjamin LaHaise <[email protected]> writes:

> On Tue, Jun 24, 2014 at 02:23:20PM -0400, Jeff Moyer wrote:
>> Benjamin LaHaise <[email protected]> writes:
>>
>> > A kernel memory disclosure was introduced in aio_read_events_ring() in v3.10
>> > by commit a31ad380bed817aa25f8830ad23e1a0480fef797. The changes made to
>> > aio_read_events_ring() failed to correctly limit the index into
>> > ctx->ring_pages[], allowing an attacked to cause the subsequent kmap() of
>> > an arbitrary page with a copy_to_user() to copy the contents into userspace.
>> > This vulnerability has been assigned CVE-2014-0206. Thanks to Mateusz and
>> > Petr for disclosing this issue.
>> >
>> > This patch applies to v3.12+. A separate backport is needed for 3.10/3.11.
>>
>> Note that a 3.10 backport will need to remove this line from free_ioctx
>> as well:
>> atomic_sub(avail, &ctx->reqs_active);
>>
>> Reviewed-by: Jeff Moyer <[email protected]>
>
> Can you post the backport for 3.10 so the -stable folks have something they
> can use that was tested? Cheers,

Sure thing.

Cheers,
Jeff