Bugzilla – Bug 885460
VUL-0: CVE-2014-3534: kernel: s390x local privilege escalation via ptrace
Last modified: 2016-04-28 07:16:16 UTC
EMBARGOED, reported via IBM Description: kernel: ptrace local root exploit Symptom: Privilege escalation by a non-priviledged user space program. Problem: The PSW mask check of the PTRACE_POKEUSR_AREA command is incorrect. The PSW_MASK_USER define contains the PSW_MASK_ASC bits, the ptrace interface accepts all combinations for the address-space-control bits. Solution: To protect the kernel space the PSW mask check in ptrace needs to reject the address-space-control bit combination for the kernel space. Reproduction: Use gdb to modify the PSW of the inferior to point to the home space and let the inferior continue with a write instruction to a kernel address. (See attached file: s390-sles12-ptrace-poke-exploit.patch)
Created attachment 597021 [details] s390-sles12-ptrace-poke-exploit.patch attached patch from Geralds mail
CRD is still open, for around RC2 according to Gerald.
Affected packages: SLE-10-SP3-TERADATA: kernel-default SLE-11-SP1-TERADATA: kernel-default SLE-11-SP3: kernel-default SLE-11-SP3-PRODUCTS: kernel-default SLE-11-SP3-UPTU: kernel-default
This affects SLES 12 only. SLES 10 / 11 is missing some prerequisite patches, which are neccessary to allow this exploit.
fyi, the following git commit introduced the issue (only included in SLES 12): commit fa968ee215c0ca91e4a9c3a69ac2405aae6e5d2f Author: Martin Schwidefsky <schwidefsky@de.ibm.com> Date: Wed Nov 7 10:44:08 2012 +0100 s390/signal: set correct address space control If user space is running in primary mode it can switch to secondary or access register mode, this is used e.g. in the clock_gettime code of the vdso. If a signal is delivered to the user space process while it has been running in access register mode the signal handler is executed in access register mode as well which will result in a crash most of the time. Set the address space control bits in the PSW to the default for the execution of the signal handler and make sure that the previous address space control is restored on signal return. Take care that user space can not switch to the kernel address space by modifying the registers in the signal frame. Cc: stable@vger.kernel.org Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
bugbot adjusting priority
In mainline linux kernel git. commit dab6cf55f81a6e16b8147aed9a843e1691dcd318 Author: Martin Schwidefsky <schwidefsky@de.ibm.com> Date: Mon Jun 23 15:29:40 2014 +0200 s390/ptrace: fix PSW mask check The PSW mask check of the PTRACE_POKEUSR_AREA command is incorrect. The PSW_MASK_USER define contains the PSW_MASK_ASC bits, the ptrace interface accepts all combinations for the address-space-control bits. To protect the kernel space the PSW mask check in ptrace needs to reject the address-space-control bit combination for home space. Fixes CVE-2014-3534 Cc: stable@vger.kernel.org Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Yes, looks like Martin acted a little overhasty there. Anyway, I guess this ends any embargo, so you can now include the patch for the next SLES 12 Beta/RC update.
This patch has been submitted, although I do not believe the patch made it in time for RC2.
To be clear, I submitted this patch to SLE12
I'm closing this as fixed as this affects only SLE-12 on s390x.