[PATCH 0/1][SRU][X] Bad posix clock speculation mitigation backport (LP: #1847189)

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH 0/1][SRU][X] Bad posix clock speculation mitigation backport (LP: #1847189)

Tyler Hicks-2
BugLink: https://launchpad.net/bugs/1847189

[Impact]

Vitaly Nikolenko pointed out that syscall(__NR_clock_gettime, 10, 0) can
be used to perform a denial of service (system crash) or possibly
execute arbitrary code in the Ubuntu Xenial kernel:

  https://twitter.com/vnik5287/status/1180666151216435200

[Test Case]

Execute the following test program and verify that it prints out
"clock_gettime: Invalid argument" rather than triggering a NULL pointer
dereference and stack trace in the kernel logs.

==========
#include <stdio.h>
#include <time.h>

int main(void)
{
        int rc = clock_gettime(10, 0);

        if (rc < 0)
                perror("clock_gettime");

        return rc;
}
==========

[Regression Potential]

Low. The fix is easy to review and fixes a denial of service issue
that's trivial to trigger.

Tyler

Tyler Hicks (1):
  UBUNTU: SAUCE: Fix posix clock speculation mitigation backport

 kernel/time/posix-timers.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[PATCH 1/1] UBUNTU: SAUCE: Fix posix clock speculation mitigation backport

Tyler Hicks-2
BugLink: https://launchpad.net/bugs/1847189

The Ubuntu Xenial backport of upstream commit 19b558db12f9
("posix-timers: Protect posix clock array access against speculation")
incorrectly dropped the NULL check on the .clock_getres function
pointer. Readd the NULL check while still protecting against
side-channel speculation attacks when indexing into the posix_clocks
array to perform that NULL check.

The NULL check protects against a denial of service (system crash) or
possible arbitrary code execution that can be triggered by
clock_gettime(10, 0), as pointed out by Vitaly Nikolenko.

Fixes: eb4a3a43d161 ("posix-timers: Protect posix clock array access against speculation")
Signed-off-by: Tyler Hicks <[hidden email]>
---
 kernel/time/posix-timers.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c
index fef13152b372..6e0ac1e7494e 100644
--- a/kernel/time/posix-timers.c
+++ b/kernel/time/posix-timers.c
@@ -606,7 +606,11 @@ static struct k_clock *clockid_to_kclock(const clockid_t id)
  if (id >= MAX_CLOCKS)
  return NULL;
 
- return &posix_clocks[array_index_nospec(idx, MAX_CLOCKS)];
+ idx = array_index_nospec(idx, MAX_CLOCKS);
+ if (!posix_clocks[idx].clock_getres)
+ return NULL;
+
+ return &posix_clocks[idx];
 }
 
 static int common_timer_create(struct k_itimer *new_timer)
--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [PATCH 0/1][SRU][X] Bad posix clock speculation mitigation backport (LP: #1847189)

Colin Ian King-2
In reply to this post by Tyler Hicks-2
On 08/10/2019 07:10, Tyler Hicks wrote:

> BugLink: https://launchpad.net/bugs/1847189
>
> [Impact]
>
> Vitaly Nikolenko pointed out that syscall(__NR_clock_gettime, 10, 0) can
> be used to perform a denial of service (system crash) or possibly
> execute arbitrary code in the Ubuntu Xenial kernel:
>
>   https://twitter.com/vnik5287/status/1180666151216435200
>
> [Test Case]
>
> Execute the following test program and verify that it prints out
> "clock_gettime: Invalid argument" rather than triggering a NULL pointer
> dereference and stack trace in the kernel logs.
>
> ==========
> #include <stdio.h>
> #include <time.h>
>
> int main(void)
> {
>         int rc = clock_gettime(10, 0);
>
>         if (rc < 0)
>                 perror("clock_gettime");
>
>         return rc;
> }
> ==========
>
> [Regression Potential]
>
> Low. The fix is easy to review and fixes a denial of service issue
> that's trivial to trigger.
>
> Tyler
>
> Tyler Hicks (1):
>   UBUNTU: SAUCE: Fix posix clock speculation mitigation backport
>
>  kernel/time/posix-timers.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
>
Looks good to me.

Acked-by: Colin Ian King <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [PATCH 0/1][SRU][X] Bad posix clock speculation mitigation backport (LP: #1847189)

Andrea Righi
In reply to this post by Tyler Hicks-2
On Tue, Oct 08, 2019 at 06:10:14AM +0000, Tyler Hicks wrote:

> BugLink: https://launchpad.net/bugs/1847189
>
> [Impact]
>
> Vitaly Nikolenko pointed out that syscall(__NR_clock_gettime, 10, 0) can
> be used to perform a denial of service (system crash) or possibly
> execute arbitrary code in the Ubuntu Xenial kernel:
>
>   https://twitter.com/vnik5287/status/1180666151216435200
>
> [Test Case]
>
> Execute the following test program and verify that it prints out
> "clock_gettime: Invalid argument" rather than triggering a NULL pointer
> dereference and stack trace in the kernel logs.
>
> ==========
> #include <stdio.h>
> #include <time.h>
>
> int main(void)
> {
>         int rc = clock_gettime(10, 0);
>
>         if (rc < 0)
>                 perror("clock_gettime");
>
>         return rc;
> }
> ==========
>
> [Regression Potential]
>
> Low. The fix is easy to review and fixes a denial of service issue
> that's trivial to trigger.
>
> Tyler
>
> Tyler Hicks (1):
>   UBUNTU: SAUCE: Fix posix clock speculation mitigation backport
>
>  kernel/time/posix-timers.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)

The fix makes sense to me.

Acked-by: Andrea Righi <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED: [PATCH 0/1][SRU][X] Bad posix clock speculation mitigation backport (LP: #1847189)

Kleber Souza
In reply to this post by Tyler Hicks-2
On 08.10.19 08:10, Tyler Hicks wrote:

> BugLink: https://launchpad.net/bugs/1847189
>
> [Impact]
>
> Vitaly Nikolenko pointed out that syscall(__NR_clock_gettime, 10, 0) can
> be used to perform a denial of service (system crash) or possibly
> execute arbitrary code in the Ubuntu Xenial kernel:
>
>   https://twitter.com/vnik5287/status/1180666151216435200
>
> [Test Case]
>
> Execute the following test program and verify that it prints out
> "clock_gettime: Invalid argument" rather than triggering a NULL pointer
> dereference and stack trace in the kernel logs.
>
> ==========
> #include <stdio.h>
> #include <time.h>
>
> int main(void)
> {
>         int rc = clock_gettime(10, 0);
>
>         if (rc < 0)
>                 perror("clock_gettime");
>
>         return rc;
> }
> ==========
>
> [Regression Potential]
>
> Low. The fix is easy to review and fixes a denial of service issue
> that's trivial to trigger.
>
> Tyler
>
> Tyler Hicks (1):
>   UBUNTU: SAUCE: Fix posix clock speculation mitigation backport
>
>  kernel/time/posix-timers.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
>

Applied to xenial/master-next branch.

Thanks,
Kleber

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team