Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 512526 (CVE-2014-3153) - Kernel: futex local privilege escalation (CVE-2014-3153)
Summary: Kernel: futex local privilege escalation (CVE-2014-3153)
Status: IN_PROGRESS
Alias: CVE-2014-3153
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Kernel Security
URL: http://seclists.org/oss-sec/2014/q2/467
Whiteboard:
Keywords:
Depends on: CVE-2014-6416 510488 512714
Blocks:
  Show dependency tree
 
Reported: 2014-06-05 16:47 UTC by Kristian Fiskerstrand
Modified: 2016-12-07 04:01 UTC (History)
10 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand gentoo-dev Security 2014-06-05 16:47:52 UTC
CVE-2014-3153
    Pinkie Pie discovered an issue in the futex subsystem that allows a
    local user to gain ring 0 control via the futex syscall. An
    unprivileged user could use this flaw to crash the kernel (resulting
    in denial of service) or for privilege escalation.

Reproducible: Always
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2014-06-05 18:37:03 UTC
I have update hardened sources 

these have the fix (4 patches, not 6 like posted here http://seclists.org/oss-sec/2014/q2/470 )

hardened-sources-3.14.5-r1.ebuild
hardened-sources-3.14.4-r2.ebuild
hardened-sources-3.13.10-r1.ebuild
hardened-sources-3.13.6-r4.ebuild
hardened-sources-3.13.2-r4.ebuild
hardened-sources-3.11.7-r2.ebuild
hardened-sources-3.2.59-r3.ebuild
hardened-sources-3.2.55-r8.ebuild
hardened-sources-3.2.54-r10.ebuild
hardened-sources-3.2.53-r7.ebuild

All other versions lower then this for M.m.p-r versions do not
Comment 2 Anthony Basile gentoo-dev 2014-06-05 21:34:31 UTC
(In reply to Matthew Thode ( prometheanfire ) from comment #1)
> I have update hardened sources 
> 
> these have the fix (4 patches, not 6 like posted here
> http://seclists.org/oss-sec/2014/q2/470 )
> 
> hardened-sources-3.14.5-r1.ebuild
> hardened-sources-3.14.4-r2.ebuild
> hardened-sources-3.13.10-r1.ebuild
> hardened-sources-3.13.6-r4.ebuild
> hardened-sources-3.13.2-r4.ebuild
> hardened-sources-3.11.7-r2.ebuild
> hardened-sources-3.2.59-r3.ebuild
> hardened-sources-3.2.55-r8.ebuild
> hardened-sources-3.2.54-r10.ebuild
> hardened-sources-3.2.53-r7.ebuild
> 
> All other versions lower then this for M.m.p-r versions do not

In the future, please submit the patches to me for inclusion.
Comment 3 Anthony Basile gentoo-dev 2014-06-05 21:48:31 UTC
(In reply to Anthony Basile from comment #2)
> (In reply to Matthew Thode ( prometheanfire ) from comment #1)
> > I have update hardened sources 
> > 
> > these have the fix (4 patches, not 6 like posted here
> > http://seclists.org/oss-sec/2014/q2/470 )
> > 
> > hardened-sources-3.14.5-r1.ebuild
> > hardened-sources-3.14.4-r2.ebuild
> > hardened-sources-3.13.10-r1.ebuild
> > hardened-sources-3.13.6-r4.ebuild
> > hardened-sources-3.13.2-r4.ebuild
> > hardened-sources-3.11.7-r2.ebuild
> > hardened-sources-3.2.59-r3.ebuild
> > hardened-sources-3.2.55-r8.ebuild
> > hardened-sources-3.2.54-r10.ebuild
> > hardened-sources-3.2.53-r7.ebuild
> > 
> > All other versions lower then this for M.m.p-r versions do not
> 
> In the future, please submit the patches to me for inclusion.

I'm going ot have to revert these because the rev bumps are recycled from previous ebuild that were taken off the tree.  Give me a day to see what upstream grsec/pax is up to before we consider this addressed.
Comment 4 Anthony Basile gentoo-dev 2014-06-06 00:30:46 UTC
(In reply to Anthony Basile from comment #3)
> 
> I'm going ot have to revert these because the rev bumps are recycled from
> previous ebuild that were taken off the tree.  Give me a day to see what
> upstream grsec/pax is up to before we consider this addressed.


hardened-sources-3.14.5-r2 and hardened-sources-3.2.59-r4 contain the correct fixes from grsec/pax upstream.  I'll rapid stabilize these in a few days.
Comment 5 Nick Soveiko 2014-06-06 18:43:33 UTC
(In reply to Anthony Basile from comment #4)

> hardened-sources-3.14.5-r2 and hardened-sources-3.2.59-r4 contain the
> correct fixes from grsec/pax upstream.  I'll rapid stabilize these in a few
> days.

does 3.14.5-r2 contain fix for CVE-2014-0196 (https://bugs.gentoo.org/show_bug.cgi?id=509840) ?
Comment 6 Anthony Basile gentoo-dev 2014-06-06 19:40:36 UTC
(In reply to Nick Soveiko from comment #5)
> (In reply to Anthony Basile from comment #4)
> 
> > hardened-sources-3.14.5-r2 and hardened-sources-3.2.59-r4 contain the
> > correct fixes from grsec/pax upstream.  I'll rapid stabilize these in a few
> > days.
> 
> does 3.14.5-r2 contain fix for CVE-2014-0196
> (https://bugs.gentoo.org/show_bug.cgi?id=509840) ?

yes
Comment 7 Anthony Basile gentoo-dev 2014-06-06 19:45:45 UTC
(In reply to Anthony Basile from comment #6)
> (In reply to Nick Soveiko from comment #5)
> > (In reply to Anthony Basile from comment #4)
> > 
> > > hardened-sources-3.14.5-r2 and hardened-sources-3.2.59-r4 contain the
> > > correct fixes from grsec/pax upstream.  I'll rapid stabilize these in a few
> > > days.
> > 
> > does 3.14.5-r2 contain fix for CVE-2014-0196
> > (https://bugs.gentoo.org/show_bug.cgi?id=509840) ?
> 
> yes

The current recommendation is to use hardened-sources-3.14.5-r2 or hardened-sources-3.2.59-r5 to cover both the pty race and futex syscall ring 0 exploit.  However there is a known issue, so do not enable KSTACKOVERFLOW.  See http://forums.grsecurity.net/viewtopic.php?f=3&t=3970.
Comment 8 Tom Wijsman (TomWij) (RETIRED) gentoo-dev 2014-06-06 20:20:08 UTC
This has been taken care of for most branches and arches in gentoo-sources; the only remaining vulnerable are those that need stabilization as per bug #510488.

An overview of the patched versions if someone needs to know them:

    3.2.58-r3, 3.4.91-r1, 3.10.41-r1 (stable), 3.12.21-r1 (stable), 3.14.5-r1

Any lower versions in each branch are vulnerable. Removal of old keywords and ebuilds, as well as masking of newer ebuilds is done; except for the above bug.
Comment 9 Nick Soveiko 2014-06-11 17:23:29 UTC
(In reply to Anthony Basile from comment #7)

> The current recommendation is to use hardened-sources-3.14.5-r2 or
> hardened-sources-3.2.59-r5 to cover both the pty race and futex syscall ring
> 0 exploit.  However there is a known issue, so do not enable KSTACKOVERFLOW.
> See http://forums.grsecurity.net/viewtopic.php?f=3&t=3970.

i see hardened-sources-3.14.5-r2 are stable now. has the issue with KSTACKOVERFLOW been resolved? is it safe to enable on a headless machine? on a KVM guest?
Comment 10 Alexander Tsoy 2014-06-11 17:47:02 UTC
(In reply to Nick Soveiko from comment #9)

This issue is still here. Please read the following thread:
http://thread.gmane.org/gmane.linux.gentoo.hardened/6211
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2014-08-10 21:53:11 UTC
CVE-2014-3153 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3153):
  The futex_requeue function in kernel/futex.c in the Linux kernel through
  3.14.5 does not ensure that calls have two different futex addresses, which
  allows local users to gain privileges via a crafted FUTEX_REQUEUE command
  that facilitates unsafe waiter modification.
Comment 12 Thomas Deutschmann gentoo-dev Security 2016-11-30 00:54:56 UTC
All upstream LTS kernels are including the patch; All sys-kernel/gentoo-sources ebuilds excluding sys-kernel/gentoo-sources-3.4.x have stable ebuilds containing the fix.

sys-kernel/gentoo-sources-3.4.x is currently being stabilized in bug 522930.