Bugzilla – Bug 884324
VUL-0: CVE-2014-0206: kernel: insufficient sanitization of head in aio_read_events_ring()
Last modified: 2015-02-19 02:05:57 UTC
It was found that aio_read_events_ring() function in the Linux kernel's AIO subsystem did not properly sanitize AIO ring head coming from userspace. An unprivileged local user could use this flaw to randomly disclose parts of (physical) memory belonging to kernel and/or other processes. Introduced by: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a31ad380bed817aa25f8830ad23e1a0480fef797 Upstream commits: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=edfbbf388f29 https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f8567a3845ac Acknowledgements: This issue was discovered by Mateusz Guzik of Red Hat. Affects at most SLE12 and openSUSE 13.1 References: https://bugzilla.redhat.com/show_bug.cgi?id=1094602 http://seclists.org/oss-sec/2014/q2/638 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0206
bugbot adjusting priority
The patches already exist in SLE12. Looking into openSUSE 13.1...
I do not see offending patch (commit id) a31ad380bed817aa25f8830ad23e1a0480fef797 in openSUSE13.1 git tree, so the two upstream commits are not needed as well.
ok, I take it back. mainline commit id a31ad380bed817aa25f8830ad23e1a0480fef797 does exist in opensuse 13.1. But the commit ids patches edfbbf388f293d70bf4b7c0bc38774d05e6f711a f8567a3845ac05bb28f3c1b478ef752762bd39ef do not apply straight away. We need in-between patches which will result changes aio data structures and code. Is that the expectation?
The expectation is to fix the security issue :) Other changes needed to fix the issue are a side effect that need to be evaluated so that we don't cause other problems. Do you expect any if we change those data structures by applying the additional pachtes?
Looking into this...
Upstream commit edfbbf388f293d70bf4b7c0bc38774d05e6f711a is easy to merge. But had to make some additional minor changes, so now the function aio_read_events_ring() matches to the one in mainline kernel. Working on applying second patch which generates merge errors.
The second patch, f8567a3845ac05bb28f3c1b478ef752762bd39ef, in its description says "A separate backport is required for 3.10/3.11." Wonder if there is such a backport somewhere already, would be easier to apply!
Deleting atomic_sub(ret, &ctx->reqs_active); from function aio_read_events_ring() and adding that atomic_dec(&ctx->reqs_active); to function aio_complete() would be an equivalent change to the one in patch commit id# f8567a3845ac05bb28f3c1b478ef752762bd39ef. But this affects refcounting, so have to be careful and go through the code to determine whether any additional change is needed in aio.c.
Created attachment 603559 [details] one of the two pathes to fix CVE-2014-0206 Backported to 3.11 kernel from mainline patch
Created attachment 603560 [details] second of the two patches needed to fix CVE-2014-0206 Backported to 3.11 kernel from mainline patch
Trying to see if I can run some kind of aio tests with these patches before I merge them!
Quickly ran /opt/ltp/testcases/bin/aio-stress <~/filename> from ltp testsuite on existing opensuse 3.11 kernel. Will run the same testcase on the kernel built with the changes and see if it passes. Also need to look at what exactly aio-stress does (code etc. to be sure).
I am able to now run tests like aio01, aio_tio etc. Will run all the aio tests under /opt/ltp/testcases/bin correctly with unmodified kernel and then run the same tests with the patched kernel and compare before merging patches.
All these LTP aio tests under /opt/ltp/testcases/bin aio01 -i 5 -P 1 -t -b 512 -n 5 -F ~/cscope.out aiocp -a 4096 -b 512 ~/cscope.out ~/cscope.out1 aiodio_append ~/cscope.out1 aiodio_sparse -n 5 -s 65336 -w 4096 aio_tio complete and pass except aio-stress. I am running aio-stress this way and it hangs. Have been looking into it. aio-stress -a 4 -b 10 -c 5 -r 1024 -I 20 -l -L -t 5 -v ~/newfile1 and aio-stress -a 4 -b 10 -c 5 -r 1024 -I 20 -l -L -t 5 -v ~/newfile1 ~/newfile2
I should clarify about the note #18 that above tests were run on an existing 3.11.10-17.desktop opensuse kernel, without any modifications (to aio.c). I have the changed aio.c and new kernel built, so will repeat the tests on that pached kernel to verify that the same tests are successful and results mactch.
./aio-stress -a 4 -b 10 -c 5 -r 1024 -I 20 -l -L -t 5 -v ~/newfile file size 1024MB, record size 1024KB, depth 64, I/O per iteration 8 max io_submit 10, buffer alignment set to 4KB threads 5 files 1 contexts 5 context offset 2MB verification on Running multi thread version num_threads:5 latency min 4.00 avg 201.58 max 1581.13 15 < 100 1 < 250 1 < 500 2 < 1000 1 < 5000 0 < 10000 completion latency min 0.00 avg 779.71 max 2674.76 32 < 100 40 < 250 8 < 500 0 < 1000 48 < 5000 0 < 10000 latency min 5.25 avg 265.24 max 1481.88 10 < 100 1 < 250 2 < 500 2 < 1000 1 < 5000 0 < 10000 completion latency min 0.00 avg 949.46 max 1347.35 8 < 100 0 < 250 0 < 500 32 < 1000 24 < 5000 0 < 10000 write on /home/shirish/newfile (30.16 MB/s) 128.00 MB in 4.24s latency min 3.44 avg 709.09 max 1398.91 2 < 100 0 < 250 0 < 500 2 < 1000 2 < 5000 0 < 10000 completion latency min 0.00 avg -nan max 0.00 0 < 100 0 < 250 0 < 500 0 < 1000 0 < 5000 0 < 10000 write on /home/shirish/newfile (11.28 MB/s) 48.00 MB in 4.25s latency min 4.35 avg 607.96 max 1996.12 4 < 100 0 < 250 1 < 500 0 < 1000 2 < 5000 0 < 10000 completion latency min 0.00 avg -nan max 0.00 0 < 100 0 < 250 0 < 500 0 < 1000 0 < 5000 0 < 10000 write on /home/shirish/newfile (13.16 MB/s) 56.00 MB in 4.26s latency min 420.80 avg 1421.58 max 2352.43 0 < 100 0 < 250 1 < 500 0 < 1000 2 < 5000 0 < 10000 completion latency min 0.00 avg -nan max 0.00 0 < 100 0 < 250 0 < 500 0 < 1000 0 < 5000 0 < 10000 write on /home/shirish/newfile (5.63 MB/s) 24.00 MB in 4.26s thread 2 write totals (4.81 MB/s) 24.00 MB in 4.99s thread 0 write totals (25.64 MB/s) 128.00 MB in 4.99s thread 3 write totals (11.22 MB/s) 56.00 MB in 4.99s thread 4 write totals (9.61 MB/s) 48.00 MB in 4.99s write throughput (51.28 MB/s) 256.00 MB in 4.99s min transfer 48.00B global num pending is 32 It is hung for some time, not sure whether test parameters are incorrect, need to investigate.
Even the intiramfs building is stalled too, so not sure what is going on. Perhaps have to use one of the lab machines... /usr/src/linux-3.11.10-17> sudo make install sh /usr/src/linux-3.11.10-17/arch/x86/boot/install.sh 3.11.10-17-desktop.ssp arch/x86/boot/bzImage \ System.map "/boot" Kernel image: /boot/vmlinuz-3.11.10-17-desktop.ssp Initrd image: /boot/initrd-3.11.10-17-desktop.ssp KMS drivers: i915 nouveau Root device: /dev/sysvg/rootlv (mounted on / as ext4) Resume device: /dev/disk/by-id/ata-HGST_HTS725050A7E630_TF655AY91JEURL-part1 (/dev/sda1) do not see initrd file in /boot
The same make install today worked, generated initrd file and system booted fine with the patched (aio.c) kernel. I repeated tests and same behaviour noted in comments #18 and #20. I think the patches look correct. Will repeat the aio-stress test/binary on one of the lab opensuse13.1 machine I just reserved and see how it behaves.
Found this usage and the aio-stress does pass on the patched kernel) and not generate any errors: So will check in those two patches. ./aio-stress -O -s 64m -r 256k -i 1024 ~/newfile3 dropping io_iter to 64 file size 64MB, record size 256KB, depth 64, I/O per iteration 64 max io_submit 64, buffer alignment set to 4KB threads 1 files 1 contexts 1 context offset 2MB verification off Running single thread version write on /home/shirish/newfile3 (73.81 MB/s) 64.00 MB in 0.87s thread 0 write totals (66.91 MB/s) 64.00 MB in 0.96s read on /home/shirish/newfile3 (122.96 MB/s) 64.00 MB in 0.52s thread 0 read totals (106.66 MB/s) 64.00 MB in 0.60s random write on /home/shirish/newfile3 (61.58 MB/s) 64.00 MB in 1.04s thread 0 random write totals (54.08 MB/s) 64.00 MB in 1.18s random read on /home/shirish/newfile3 (40.75 MB/s) 64.00 MB in 1.57s thread 0 random read totals (36.05 MB/s) 64.00 MB in 1.78s
merged the two patches
code merged.
openSUSE-SU-2014:1677-1: An update that solves 31 vulnerabilities and has 12 fixes is now available. Category: security (important) Bug References: 818966,835839,853040,856659,864375,865882,873790,875051,881008,882639,882804,883518,883724,883948,883949,884324,887046,887082,889173,890114,891689,892490,893429,896382,896385,896390,896391,896392,896689,897736,899785,900392,902346,902349,902351,904013,904700,905100,905744,907818,908163,909077,910251 CVE References: CVE-2013-2891,CVE-2013-2898,CVE-2014-0181,CVE-2014-0206,CVE-2014-1739,CVE-2014-3181,CVE-2014-3182,CVE-2014-3184,CVE-2014-3185,CVE-2014-3186,CVE-2014-3673,CVE-2014-3687,CVE-2014-3688,CVE-2014-4171,CVE-2014-4508,CVE-2014-4608,CVE-2014-4611,CVE-2014-4943,CVE-2014-5077,CVE-2014-5206,CVE-2014-5207,CVE-2014-5471,CVE-2014-5472,CVE-2014-6410,CVE-2014-7826,CVE-2014-7841,CVE-2014-7975,CVE-2014-8133,CVE-2014-8709,CVE-2014-9090,CVE-2014-9322 Sources used: openSUSE 13.1 (src): cloop-2.639-11.16.1, crash-7.0.2-2.16.1, hdjmod-1.28-16.16.1, ipset-6.21.1-2.20.1, iscsitarget-1.4.20.3-13.16.1, kernel-docs-3.11.10-25.2, kernel-source-3.11.10-25.1, kernel-syms-3.11.10-25.1, ndiswrapper-1.58-16.1, pcfclock-0.44-258.16.1, vhba-kmp-20130607-2.17.1, virtualbox-4.2.18-2.21.1, xen-4.3.2_02-30.1, xtables-addons-2.3-2.16.1