[SRU][T][PATCH 0/1] CVE-2017-18344 - Incorrect POSIX timer validation

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[SRU][T][PATCH 0/1] CVE-2017-18344 - Incorrect POSIX timer validation

Tyler Hicks-2
https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18344.html

 The timer_create syscall implementation in kernel/time/posix-timers.c in
 the Linux kernel before 4.14.8 doesn't properly validate the
 sigevent->sigev_notify field, which leads to out-of-bounds access in the
 show_timer function (called when /proc/$PID/timers is read). This allows
 userspace applications to read arbitrary kernel memory (on a kernel built
 with CONFIG_POSIX_TIMERS and CONFIG_CHECKPOINT_RESTORE).

This is backported from upstream and tested with a PoC that I wrote. Xenial has
already picked up this fix via linux-stable. Bionic released with this fix.

Tyler

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[PATCH] posix-timer: Properly check sigevent->sigev_notify

Tyler Hicks-2
From: Thomas Gleixner <[hidden email]>

timer_create() specifies via sigevent->sigev_notify the signal delivery for
the new timer. The valid modes are SIGEV_NONE, SIGEV_SIGNAL, SIGEV_THREAD
and (SIGEV_SIGNAL | SIGEV_THREAD_ID).

The sanity check in good_sigevent() is only checking the valid combination
for the SIGEV_THREAD_ID bit, i.e. SIGEV_SIGNAL, but if SIGEV_THREAD_ID is
not set it accepts any random value.

This has no real effects on the posix timer and signal delivery code, but
it affects show_timer() which handles the output of /proc/$PID/timers. That
function uses a string array to pretty print sigev_notify. The access to
that array has no bound checks, so random sigev_notify cause access beyond
the array bounds.

Add proper checks for the valid notify modes and remove the SIGEV_THREAD_ID
masking from various code pathes as SIGEV_NONE can never be set in
combination with SIGEV_THREAD_ID.

Reported-by: Eric Biggers <[hidden email]>
Reported-by: Dmitry Vyukov <[hidden email]>
Reported-by: Alexey Dobriyan <[hidden email]>
Signed-off-by: Thomas Gleixner <[hidden email]>
Cc: John Stultz <[hidden email]>
Cc: [hidden email]

CVE-2017-18344

(backported from commit cef31d9af908243421258f1df35a4a644604efbe)
[tyhicks: Do not worry about removing the SIGEV_THREAD_ID masking since it is
 irrelevant to the security fix]
Signed-off-by: Tyler Hicks <[hidden email]>
---
 kernel/posix-timers.c | 25 +++++++++++++++----------
 1 file changed, 15 insertions(+), 10 deletions(-)

diff --git a/kernel/posix-timers.c b/kernel/posix-timers.c
index 77e6b83c0431..26b910462a0c 100644
--- a/kernel/posix-timers.c
+++ b/kernel/posix-timers.c
@@ -498,17 +498,22 @@ static struct pid *good_sigevent(sigevent_t * event)
 {
  struct task_struct *rtn = current->group_leader;
 
- if ((event->sigev_notify & SIGEV_THREAD_ID ) &&
- (!(rtn = find_task_by_vpid(event->sigev_notify_thread_id)) ||
- !same_thread_group(rtn, current) ||
- (event->sigev_notify & ~SIGEV_THREAD_ID) != SIGEV_SIGNAL))
+ switch (event->sigev_notify) {
+ case SIGEV_SIGNAL | SIGEV_THREAD_ID:
+ rtn = find_task_by_vpid(event->sigev_notify_thread_id);
+ if (!rtn || !same_thread_group(rtn, current))
+ return NULL;
+ /* FALLTHRU */
+ case SIGEV_SIGNAL:
+ case SIGEV_THREAD:
+ if (event->sigev_signo <= 0 || event->sigev_signo > SIGRTMAX)
+ return NULL;
+ /* FALLTHRU */
+ case SIGEV_NONE:
+ return task_pid(rtn);
+ default:
  return NULL;
-
- if (((event->sigev_notify & ~SIGEV_THREAD_ID) != SIGEV_NONE) &&
-    ((event->sigev_signo <= 0) || (event->sigev_signo > SIGRTMAX)))
- return NULL;
-
- return task_pid(rtn);
+ }
 }
 
 void posix_timers_register_clock(const clockid_t clock_id,
--
2.7.4


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [PATCH] posix-timer: Properly check sigevent->sigev_notify

Kleber Souza
On 08/03/18 23:25, Tyler Hicks wrote:

> From: Thomas Gleixner <[hidden email]>
>
> timer_create() specifies via sigevent->sigev_notify the signal delivery for
> the new timer. The valid modes are SIGEV_NONE, SIGEV_SIGNAL, SIGEV_THREAD
> and (SIGEV_SIGNAL | SIGEV_THREAD_ID).
>
> The sanity check in good_sigevent() is only checking the valid combination
> for the SIGEV_THREAD_ID bit, i.e. SIGEV_SIGNAL, but if SIGEV_THREAD_ID is
> not set it accepts any random value.
>
> This has no real effects on the posix timer and signal delivery code, but
> it affects show_timer() which handles the output of /proc/$PID/timers. That
> function uses a string array to pretty print sigev_notify. The access to
> that array has no bound checks, so random sigev_notify cause access beyond
> the array bounds.
>
> Add proper checks for the valid notify modes and remove the SIGEV_THREAD_ID
> masking from various code pathes as SIGEV_NONE can never be set in
> combination with SIGEV_THREAD_ID.
>
> Reported-by: Eric Biggers <[hidden email]>
> Reported-by: Dmitry Vyukov <[hidden email]>
> Reported-by: Alexey Dobriyan <[hidden email]>
> Signed-off-by: Thomas Gleixner <[hidden email]>
> Cc: John Stultz <[hidden email]>
> Cc: [hidden email]
>
> CVE-2017-18344
>
> (backported from commit cef31d9af908243421258f1df35a4a644604efbe)
> [tyhicks: Do not worry about removing the SIGEV_THREAD_ID masking since it is
>  irrelevant to the security fix]
> Signed-off-by: Tyler Hicks <[hidden email]>

Acked-by: Kleber Sacilotto de Souza <[hidden email]>

> ---
>  kernel/posix-timers.c | 25 +++++++++++++++----------
>  1 file changed, 15 insertions(+), 10 deletions(-)
>
> diff --git a/kernel/posix-timers.c b/kernel/posix-timers.c
> index 77e6b83c0431..26b910462a0c 100644
> --- a/kernel/posix-timers.c
> +++ b/kernel/posix-timers.c
> @@ -498,17 +498,22 @@ static struct pid *good_sigevent(sigevent_t * event)
>  {
>   struct task_struct *rtn = current->group_leader;
>  
> - if ((event->sigev_notify & SIGEV_THREAD_ID ) &&
> - (!(rtn = find_task_by_vpid(event->sigev_notify_thread_id)) ||
> - !same_thread_group(rtn, current) ||
> - (event->sigev_notify & ~SIGEV_THREAD_ID) != SIGEV_SIGNAL))
> + switch (event->sigev_notify) {
> + case SIGEV_SIGNAL | SIGEV_THREAD_ID:
> + rtn = find_task_by_vpid(event->sigev_notify_thread_id);
> + if (!rtn || !same_thread_group(rtn, current))
> + return NULL;
> + /* FALLTHRU */
> + case SIGEV_SIGNAL:
> + case SIGEV_THREAD:
> + if (event->sigev_signo <= 0 || event->sigev_signo > SIGRTMAX)
> + return NULL;
> + /* FALLTHRU */
> + case SIGEV_NONE:
> + return task_pid(rtn);
> + default:
>   return NULL;
> -
> - if (((event->sigev_notify & ~SIGEV_THREAD_ID) != SIGEV_NONE) &&
> -    ((event->sigev_signo <= 0) || (event->sigev_signo > SIGRTMAX)))
> - return NULL;
> -
> - return task_pid(rtn);
> + }
>  }
>  
>  void posix_timers_register_clock(const clockid_t clock_id,
>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED: [SRU][T][PATCH 0/1] CVE-2017-18344 - Incorrect POSIX timer validation

Stefan Bader-2
In reply to this post by Tyler Hicks-2
On 03.08.2018 23:25, Tyler Hicks wrote:

> https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18344.html
>
>  The timer_create syscall implementation in kernel/time/posix-timers.c in
>  the Linux kernel before 4.14.8 doesn't properly validate the
>  sigevent->sigev_notify field, which leads to out-of-bounds access in the
>  show_timer function (called when /proc/$PID/timers is read). This allows
>  userspace applications to read arbitrary kernel memory (on a kernel built
>  with CONFIG_POSIX_TIMERS and CONFIG_CHECKPOINT_RESTORE).
>
> This is backported from upstream and tested with a PoC that I wrote. Xenial has
> already picked up this fix via linux-stable. Bionic released with this fix.
>
> Tyler
>
This was actually already released as part of the 2018.08.14 security release.

-Stefan


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (836 bytes) Download Attachment