search

speed47 / spectre-meltdown-checker

Reptar, Downfall, Zenbleed, ZombieLoad, RIDL, Fallout, Foreshadow, Spectre, Meltdown vulnerability/mitigation checker for Linux & BSD
3.87k stars 476 forks source link

add CVE-2019-15902 #304

Open asarubbo opened 5 years ago

asarubbo commented 5 years ago

https://grsecurity.net/teardown_of_a_failed_linux_lts_spectre_fix.php

speed47 commented 5 years ago

This CVE points out a bad backport of a fix on stable kernels, the diff fixing it is as follows:

diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c
index 1ca929767a1b..0b6d27dfc234 100644
--- a/arch/x86/kernel/ptrace.c
+++ b/arch/x86/kernel/ptrace.c
@@ -698,11 +698,10 @@ static unsigned long ptrace_get_debugreg(struct task_struct *tsk, int n)
 {
        struct thread_struct *thread = &tsk->thread;
        unsigned long val = 0;
-       int index = n;

        if (n < HBP_NUM) {
+               int index = array_index_nospec(n, HBP_NUM);
                struct perf_event *bp = thread->ptrace_bps[index];
-               index = array_index_nospec(index, HBP_NUM);

                if (bp)
                        val = bp->hw.info.address;

It's going to be almost impossible to detect it on a running kernel, unfortunately.

Keeping this open just for information.