Ack: [Lucid CVE-2013-0268] x86/msr: Add capabilities check

Brad Figg brad.figg at canonical.com
Fri Feb 15 17:01:42 UTC 2013


On 02/15/2013 07:02 AM, Luis Henriques wrote:
> From: Alan Cox <alan at linux.intel.com>
> 
> CVE-2013-0268
> 
> BugLink: http://bugs.launchpad.net/bugs/1123049
> 
> At the moment the MSR driver only relies upon file system
> checks. This means that anything as root with any capability set
> can write to MSRs. Historically that wasn't very interesting but
> on modern processors the MSRs are such that writing to them
> provides several ways to execute arbitary code in kernel space.
> Sample code and documentation on doing this is circulating and
> MSR attacks are used on Windows 64bit rootkits already.
> 
> In the Linux case you still need to be able to open the device
> file so the impact is fairly limited and reduces the security of
> some capability and security model based systems down towards
> that of a generic "root owns the box" setup.
> 
> Therefore they should require CAP_SYS_RAWIO to prevent an
> elevation of capabilities. The impact of this is fairly minimal
> on most setups because they don't have heavy use of
> capabilities. Those using SELinux, SMACK or AppArmor rules might
> want to consider if their rulesets on the MSR driver could be
> tighter.
> 
> Signed-off-by: Alan Cox <alan at linux.intel.com>
> Cc: Linus Torvalds <torvalds at linux-foundation.org>
> Cc: Andrew Morton <akpm at linux-foundation.org>
> Cc: Peter Zijlstra <a.p.zijlstra at chello.nl>
> Cc: Horses <stable at kernel.org>
> Signed-off-by: Ingo Molnar <mingo at kernel.org>
> (cherry picked from commit c903f0456bc69176912dee6dd25c6a66ee1aed00)
> 
> Conflicts:
> 	arch/x86/kernel/msr.c
> 
> Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
> ---
>  arch/x86/kernel/msr.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
> index 5eaeb5e..63a053b 100644
> --- a/arch/x86/kernel/msr.c
> +++ b/arch/x86/kernel/msr.c
> @@ -176,6 +176,9 @@ static int msr_open(struct inode *inode, struct file *file)
>  	struct cpuinfo_x86 *c = &cpu_data(cpu);
>  	int ret = 0;
>  
> +	if (!capable(CAP_SYS_RAWIO))
> +		return -EPERM;
> +
>  	lock_kernel();
>  	cpu = iminor(file->f_path.dentry->d_inode);
>  
> 


-- 
Brad Figg brad.figg at canonical.com http://www.canonical.com




More information about the kernel-team mailing list