Linux操作系统发现了一个严重的本地权限提升漏洞,能被利用获取目标系统的超级用户权限。漏洞存在于可靠数据报套接字(Reliable Datagram Socket,缩写RDS)协议的Linux实现中,影响到自2.6.30后的未打补丁的内核版本,因为RDS协议是在2.6.30引入的。发现漏洞的安全研究人员称,内核版本2.6.30+的Ubuntu、Debian、Fedora、Red Hat、Arch、Slackware和SUSE发行版都受到该问题的影响,Ubuntu已经发布了官方补丁,其它发行版用户可以应用和编译Linus Torvalds放出的修正。De-pessimize rds_page_copy_userDon"t try to "optimize" rds_page_copy_user() by using kmap_atomic() and
the unsafe atomic user mode accessor functions. It"s actually slower
than the straightforward code on any reasonable modern CPU.
Back when the code was written (although probably not by the time it was
actually merged, though), 32-bit x86 may have been the dominant
architecture. And there kmap_atomic() can be a lot faster than kmap()
(unless you have very good locality, in which case the virtual address
caching by kmap() can overcome all the downsides).
But these days, x86-64 may not be more populous, but it"s getting there
(and if you care about performance, it"s definitely already there -
you"d have upgraded your CPU"s already in the last few years). And on
x86-64, the non-kmap_atomic() version is faster, simply because the code
is simpler and doesn"t have the "re-try page fault" case.
People with old hardware are not likely to care about RDS anyway, and
the optimization for the 32-bit case is simply buggy, since it doesn"t
verify the user addresses properly.
Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
Acked-by: Andrew Morton <akpm@linux-foundation.org>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
| net/rds/page.c | | patch | blob | history |
diff --git a/net/rds/page.c b/net/rds/page.cindex 595a952..1dfbfea 100644 (file)
--- a/net/rds/page.c+++ b/net/rds/page.c@@ -57,30 +57,17 @@ int rds_page_copy_user(struct page *page, unsigned long offset, unsigned long ret; void *addr; - if (to_user)+ addr = kmap(page);+ if (to_user) { rds_stats_add(s_copy_to_user, bytes);- else+ ret = copy_to_user(ptr, addr + offset, bytes);+ } else { rds_stats_add(s_copy_from_user, bytes);-- addr = kmap_atomic(page, KM_USER0);- if (to_user)- ret = __copy_to_user_inatomic(ptr, addr + offset, bytes);- else- ret = __copy_from_user_inatomic(addr + offset, ptr, bytes);- kunmap_atomic(addr, KM_USER0);-- if (ret) {- addr = kmap(page);- if (to_user)- ret = copy_to_user(ptr, addr + offset, bytes);- else- ret = copy_from_user(addr + offset, ptr, bytes);- kunmap(page);- if (ret)- return -EFAULT;+ ret = copy_from_user(addr + offset, ptr, bytes); }+ kunmap(page); - return 0;+ return ret ? -EFAULT : 0; } EXPORT_SYMBOL_GPL(rds_page_copy_user);
Linux Kernel RDS协议本地权限提升漏洞Oracle数据库Java存储过程竞争条件代码执行漏洞相关资讯 Linux Kernel Linux漏洞
- Linux Kernel 3.14系列结束支持 (今 14:24)
- Linux kernel 2.6.32 LTS 将于下个 (01月31日)
- Linux Kernel 4.1.15发布 (12/15/2015 20:54:13)
| - Linux Kernel 开发报告 25 周年版 (09月10日)
- 敲击28次退格键之后:Linux漏洞可 (12/18/2015 11:22:28)
- Red Hat Linux 修补“libuser”库 (07/26/2015 06:39:34)
|
本文评论 查看全部评论 (0)
易网时代-编程资源站