CVE-2014-0206 aio: insufficient head sanitization in aio_read_events_ring (rhbz 1094602 1112975)

3 files changed, 105 insertions, 0 deletions

diff --git a/aio-fix-aio-request-leak-when-events-are-reaped-by-u.patch b/aio-fix-aio-request-leak-when-events-are-reaped-by-u.patch
new file mode 100644
index 000000000..fa93d6622
--- /dev/null
+++ b/aio-fix-aio-request-leak-when-events-are-reaped-by-u.patch
@@ -0,0 +1,48 @@
+Bugzilla: 1112975
+Upstream-status: 3.16 and CC'd to stable
+
+From f8567a3845ac05bb28f3c1b478ef752762bd39ef Mon Sep 17 00:00:00 2001
+From: Benjamin LaHaise <bcrl@kvack.org>
+Date: Tue, 24 Jun 2014 13:12:55 -0400
+Subject: [PATCH] aio: fix aio request leak when events are reaped by userspace
+
+The aio cleanups and optimizations by kmo that were merged into the 3.10
+tree added a regression for userspace event reaping.  Specifically, the
+reference counts are not decremented if the event is reaped in userspace,
+leading to the application being unable to submit further aio requests.
+This patch applies to 3.12+.  A separate backport is required for 3.10/3.11.
+This issue was uncovered as part of CVE-2014-0206.
+
+Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>
+Cc: stable@vger.kernel.org
+Cc: Kent Overstreet <kmo@daterainc.com>
+Cc: Mateusz Guzik <mguzik@redhat.com>
+Cc: Petr Matousek <pmatouse@redhat.com>
+---
+ fs/aio.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/fs/aio.c b/fs/aio.c
+index 4f078c054b41..6a9c7e489adf 100644
+--- a/fs/aio.c
++++ b/fs/aio.c
+@@ -1021,6 +1021,7 @@ void aio_complete(struct kiocb *iocb, long res, long res2)
+ 
+ 	/* everything turned out well, dispose of the aiocb. */
+ 	kiocb_free(iocb);
++	put_reqs_available(ctx, 1);
+ 
+ 	/*
+ 	 * We have to order our ring_info tail store above and test
+@@ -1100,8 +1101,6 @@ static long aio_read_events_ring(struct kioctx *ctx,
+ 	flush_dcache_page(ctx->ring_pages[0]);
+ 
+ 	pr_debug("%li  h%u t%u\n", ret, head, tail);
+-
+-	put_reqs_available(ctx, ret);
+ out:
+ 	mutex_unlock(&ctx->ring_lock);
+ 
+-- 
+1.9.3
+
diff --git a/aio-fix-kernel-memory-disclosure-in-io_getevents-int.patch b/aio-fix-kernel-memory-disclosure-in-io_getevents-int.patch
new file mode 100644
index 000000000..831a6a85f
--- /dev/null
+++ b/aio-fix-kernel-memory-disclosure-in-io_getevents-int.patch
@@ -0,0 +1,46 @@
+Bugzilla: 1112975
+Upstream-status: 3.16 and CC'd to stable
+
+From edfbbf388f293d70bf4b7c0bc38774d05e6f711a Mon Sep 17 00:00:00 2001
+From: Benjamin LaHaise <bcrl@kvack.org>
+Date: Tue, 24 Jun 2014 13:32:51 -0400
+Subject: [PATCH] aio: fix kernel memory disclosure in io_getevents()
+ introduced in v3.10
+
+A kernel memory disclosure was introduced in aio_read_events_ring() in v3.10
+by commit a31ad380bed817aa25f8830ad23e1a0480fef797.  The changes made to
+aio_read_events_ring() failed to correctly limit the index into
+ctx->ring_pages[], allowing an attacked to cause the subsequent kmap() of
+an arbitrary page with a copy_to_user() to copy the contents into userspace.
+This vulnerability has been assigned CVE-2014-0206.  Thanks to Mateusz and
+Petr for disclosing this issue.
+
+This patch applies to v3.12+.  A separate backport is needed for 3.10/3.11.
+
+Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>
+Cc: Mateusz Guzik <mguzik@redhat.com>
+Cc: Petr Matousek <pmatouse@redhat.com>
+Cc: Kent Overstreet <kmo@daterainc.com>
+Cc: Jeff Moyer <jmoyer@redhat.com>
+Cc: stable@vger.kernel.org
+---
+ fs/aio.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/aio.c b/fs/aio.c
+index 6a9c7e489adf..955947ef3e02 100644
+--- a/fs/aio.c
++++ b/fs/aio.c
+@@ -1063,6 +1063,9 @@ static long aio_read_events_ring(struct kioctx *ctx,
+ 	if (head == tail)
+ 		goto out;
+ 
++	head %= ctx->nr_events;
++	tail %= ctx->nr_events;
++
+ 	while (ret < nr) {
+ 		long avail;
+ 		struct io_event *ev;
+-- 
+1.9.3
+
diff --git a/kernel.spec b/kernel.spec
index 0ec88567f..7df6895ec 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -741,6 +741,10 @@ Patch25104: intel_pstate-Update-documentation-of-max-min_perf_pct-sysfs-files.pa
 #CVE-2014-4508 rhbz 1111590 1112073
 Patch25106: x86_32-entry-Do-syscall-exit-work-on-badsys.patch
 
+#CVE-2014-0206 rhbz 1094602 1112975
+Patch25107: aio-fix-kernel-memory-disclosure-in-io_getevents-int.patch
+Patch25108: aio-fix-aio-request-leak-when-events-are-reaped-by-u.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1450,6 +1454,10 @@ ApplyPatch intel_pstate-Update-documentation-of-max-min_perf_pct-sysfs-files.pat
 #CVE-2014-4508 rhbz 1111590 1112073
 ApplyPatch x86_32-entry-Do-syscall-exit-work-on-badsys.patch
 
+#CVE-2014-0206 rhbz 1094602 1112975
+ApplyPatch aio-fix-kernel-memory-disclosure-in-io_getevents-int.patch
+ApplyPatch aio-fix-aio-request-leak-when-events-are-reaped-by-u.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2262,6 +2270,9 @@ fi
 #                                    ||----w |
 #                                    ||     ||
 %changelog
+* Wed Jun 25 2014 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2014-0206 aio: insufficient head sanitization in aio_read_events_ring (rhbz 1094602 1112975)
+
 * Mon Jun 23 2014 Josh Boyer <jwboyer@fedoraproject.org>
 - CVE-2014-4508 BUG in x86_32 syscall auditing (rhbz 1111590 1112073)