Bad posix clock speculation mitigation backport

Bug #1847189 reported by Tyler Hicks on 2019-10-08
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Undecided
Unassigned
Xenial
Medium
Tyler Hicks

Bug Description

[Impact]

Vitaly Nikolenko pointed out that syscall(__NR_clock_gettime, 10, 0) can be used to perform a denial of service (system crash) or possibly execute arbitrary code in the Ubuntu Xenial kernel:

  https://twitter.com/vnik5287/status/1180666151216435200

[Test Case]

Execute the following test program and verify that it prints out "clock_gettime: Invalid argument" rather than triggering a NULL pointer dereference and stack trace in the kernel logs.

==========
#include <stdio.h>
#include <time.h>

int main(void)
{
        int rc = clock_gettime(10, 0);

        if (rc < 0)
                perror("clock_gettime");

        return rc;
}
==========

[Regression Potential]

Low. The fix is easy to review and fixes a denial of service issue that's trivial to trigger.

Tyler Hicks (tyhicks) on 2019-10-08
Changed in linux (Ubuntu Xenial):
status: New → In Progress
assignee: nobody → Tyler Hicks (tyhicks)
importance: Undecided → Medium
Changed in linux (Ubuntu):
status: In Progress → Invalid
assignee: Tyler Hicks (tyhicks) → nobody
Changed in linux (Ubuntu Xenial):
status: In Progress → Fix Committed

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-xenial
Tyler Hicks (tyhicks) wrote :

I've verified the kernel in xenial-proposed:

tyhicks@sec-xenial-amd64:~$ cat /proc/version_signature
Ubuntu 4.4.0-167.196-generic 4.4.197
tyhicks@sec-xenial-amd64:~$ cat test.c
#include <stdio.h>
#include <time.h>

int main(void)
{
        int rc = clock_gettime(10, 0);

        if (rc < 0)
                perror("clock_gettime");

        return rc;
}
tyhicks@sec-xenial-amd64:~$ gcc -o test test.c
tyhicks@sec-xenial-amd64:~$ ./test
clock_gettime: Invalid argument

There's no NULL pointer deref or any other sort of error induced by the test case in the kernel log.

tags: added: verification-done-xenial
removed: verification-needed-xenial
Launchpad Janitor (janitor) wrote :
Download full text (18.6 KiB)

This bug was fixed in the package linux - 4.4.0-168.197

---------------
linux (4.4.0-168.197) xenial; urgency=medium

  * CVE-2018-12207
    - KVM: x86: MMU: Encapsulate the type of rmap-chain head in a new struct
    - KVM: x86: MMU: Consolidate quickly_check_mmio_pf() and is_mmio_page_fault()
    - KVM: x86: MMU: Move handle_mmio_page_fault() call to kvm_mmu_page_fault()
    - KVM: MMU: rename has_wrprotected_page to mmu_gfn_lpage_is_disallowed
    - KVM: MMU: introduce kvm_mmu_gfn_{allow,disallow}_lpage
    - KVM: x86: MMU: Make mmu_set_spte() return emulate value
    - KVM: x86: MMU: Move initialization of parent_ptes out from
      kvm_mmu_alloc_page()
    - KVM: x86: MMU: always set accessed bit in shadow PTEs
    - KVM: x86: MMU: Move parent_pte handling from kvm_mmu_get_page() to
      link_shadow_page()
    - KVM: x86: MMU: Remove unused parameter parent_pte from kvm_mmu_get_page()
    - KVM: x86: simplify ept_misconfig
    - KVM: x86: extend usage of RET_MMIO_PF_* constants
    - KVM: MMU: drop vcpu param in gpte_access
    - kvm: Convert kvm_lock to a mutex
    - kvm: x86: Do not release the page inside mmu_set_spte()
    - KVM: x86: make FNAME(fetch) and __direct_map more similar
    - KVM: x86: remove now unneeded hugepage gfn adjustment
    - KVM: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON
    - KVM: x86: add tracepoints around __direct_map and FNAME(fetch)
    - SAUCE: KVM: vmx, svm: always run with EFER.NXE=1 when shadow paging is
      active
    - SAUCE: x86: Add ITLB_MULTIHIT bug infrastructure
    - SAUCE: kvm: mmu: ITLB_MULTIHIT mitigation
    - SAUCE: kvm: Add helper function for creating VM worker threads
    - SAUCE: kvm: x86: mmu: Recovery of shattered NX large pages
    - SAUCE: cpu/speculation: Uninline and export CPU mitigations helpers
    - SAUCE: kvm: x86: mmu: Apply global mitigations knob to ITLB_MULTIHIT

  * CVE-2019-11135
    - KVM: x86: Emulate MSR_IA32_ARCH_CAPABILITIES on AMD hosts
    - KVM: x86: use Intel speculation bugs and features as derived in generic x86
      code
    - x86/msr: Add the IA32_TSX_CTRL MSR
    - x86/cpu: Add a helper function x86_read_arch_cap_msr()
    - x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default
    - x86/speculation/taa: Add mitigation for TSX Async Abort
    - x86/speculation/taa: Add sysfs reporting for TSX Async Abort
    - kvm/x86: Export MDS_NO=0 to guests when TSX is enabled
    - x86/tsx: Add "auto" option to the tsx= cmdline parameter
    - x86/speculation/taa: Add documentation for TSX Async Abort
    - x86/tsx: Add config options to set tsx=on|off|auto
    - SAUCE: x86/speculation/taa: Call tsx_init()
    - SAUCE: x86/cpu: Include cpu header from bugs.c
    - [Config] Disable TSX by default when possible

  * CVE-2019-0154
    - SAUCE: i915_bpo: drm/i915: Lower RM timeout to avoid DSI hard hangs
    - SAUCE: i915_bpo: drm/i915/gen8+: Add RC6 CTX corruption WA
    - SAUCE: drm/i915/gen8+: Add RC6 CTX corruption WA

  * CVE-2019-0155
    - SAUCE: i915_bpo: drm/i915/gtt: Add read only pages to gen8_pte_encode
    - SAUCE: i915_bpo: drm/i915/gtt: Read-only pages for insert_entries on bdw+
    - SAUCE: i915_bpo: drm/i915/gtt: Disable read-on...

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers