#4723 closed task (fixed)

linux-5.8.9

Reported by: Bruce Dubbs Owned by: lfs-book
Priority: high Milestone: 10.1
Component: Book Version: SVN
Severity: normal Keywords:
Cc:

Description

New point version.

Change History (5)

comment:1 by Bruce Dubbs, 11 months ago

Summary: linux-5.8.6linux-5.8.7

Now version 5.8.7

comment:2 by Bruce Dubbs, 11 months ago

Summary: linux-5.8.7linux-5.8.8

Now version 5.8.8

comment:3 by Douglas R. Reno, 11 months ago

Priority: normalhigh

This has a security fix in it

Date: Tue, 8 Sep 2020 08:33:00 -0700
From: Andy Lutomirski <luto@...nel.org>
To: oss security list <oss-security@...ts.openwall.com>
Subject: CVE Request: Linux kernel vsyscall page refcounting error

Linux 5.7 and 5.8 have a bug in the reference counting of the struct
page that backs the vsyscall page.  The result is a refcount
underflow.  This can be triggered by any 64-bit process that is
permitted to use ptrace() or process_vm_readv().  A creative attacker
can probably achieve kernel code escalation by using this bug.

You can prevent the issue from triggering by booting with
vsyscall=xonly or vsyscall=none.  You can also effectively hotpatch a
kernel with suitable hardening options by running the updated test
case noted below -- the test case will underflow the refcount past
zero, preventing further use of the page.  (A real attacker would
carefully underflow it exactly to zero but not past.)  Or you can fix
your kernel.

(No one should be using vsyscall=emulate any more unless they have a
very specific use case that requires it.  vsyscall=xonly is better in
almost all cases.  For some reason, Fedora still seems to be using
emulate mode, though.)

Fixed by:

commit 9fa2dd946743ae6f30dc4830da19147bf100a7f2
Author: Dave Hansen <dave.hansen@...ux.intel.com>
Date:   Thu Sep 3 13:40:28 2020 -0700

    mm: fix pin vs. gup mismatch with gate pages

and tested a little better by:

commit 8891adc61dce2a8a41fc0c23262b681c3ec4b73a
Author: Andy Lutomirski <luto@...nel.org>
Date:   Thu Sep 3 13:40:30 2020 -0700

    selftests/x86/test_vsyscall: Improve the process_vm_readv() test

comment:4 by Bruce Dubbs, 11 months ago

Summary: linux-5.8.8linux-5.8.9

Now version 5.8.9.

comment:5 by Bruce Dubbs, 11 months ago

Resolution: fixed
Status: newclosed

Fixed at revision 12047.

Note: See TracTickets for help on using tickets.