Closed Bug 1026867 Opened 11 years ago Closed 8 years ago

CVE-2014-3153 - Local root vulnerability in Linux kernel futex(2) implementation

Categories

(Firefox OS Graveyard :: General, defect)

Product:
Firefox OS Graveyard
Component:
General
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: dhylands, Unassigned)

References

Details

(Keywords: sec-moderate, Whiteboard: [cr 676096])

Attachments

(7 files)

cve-2014-3153-goldfish34.mbox
15.30 KB, text/plain
Details
cve-2014-3153-chromium.diff
12.71 KB, patch
Details | Diff | Splinter Review
GitHub PR for applying fixes to JB Flame kernel source.
59 bytes, text/x-github-pull-request
dhylands
: review+
Details | Review
GitHub PR for applying fixes to Nexus 5 kernel source.
59 bytes, text/x-github-pull-request
dhylands
: review+
Details | Review
GitHub PR for updating prebuilt Nexus 5 kernel.
66 bytes, text/x-github-pull-request
dhylands
: review+
mwu
: review+
Details | Review
GitHub PR for applying fixes to Nexus 4 KK kernel source.
59 bytes, text/x-github-pull-request
jld
: review+
Details | Review
GitHub PR for updating prebuilt Nexus 4 KK kernel.
60 bytes, text/x-github-pull-request
jld
: review+
Details | Review
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3153 Apparently, this is what the TowelRoot uses to obtain root access on Android. I was able to use TowelRoot to gain root access on my 4.4.3 Android Nexus 5. Looks like a kernel patch is needed. The appears to affect all kernels upto and including 3.14.5 This email thread has patches attached to it: http://seclists.org/oss-sec/2014/q2/467
We're actively propagating this fix to the CAF kernel branches including the Firefox OS branches already. No action required in this bug for CAF.
Whiteboard: [cr 676096]
(In reply to Paul Theriault [:pauljt] from comment #2) > :'( > > http://mxr.mozilla.org/mozilla-central/source/security/sandbox/linux/ > SandboxFilter.cpp#106 I'm pretty sure that pthreads locks and semaphores use futex.
Keywords: sec-moderate
OS: Linux → Gonk (Firefox OS)
Hardware: x86_64 → ARM
(In reply to Dave Hylands [:dhylands] (PTO - back Mon Jun 23) from comment #3) > I'm pretty sure that pthreads locks and semaphores use futex. Yes: all forms of thread synchronization or locking are implemented in terms of futex, and it's the first thing the filter checks for because it tends to be the single most frequent syscall. Also, the bugs are complicated enough that I don't know if there's any way to mitigate by filtering on argument values.
Kai-zhen, do you know who needs to be notified to make sure this is patched in Dolphin?
Flags: needinfo?(kli)
Sam, can you confirm with your kernel team if this patch is included in Dolphin's kernel?
Flags: needinfo?(kli) → needinfo?(sam.hua)
Sam, can you confirm with your kernel team if this patch is included in Dolphin's kernel?
Flags: needinfo?(sam.hua)
okay
Flags: needinfo?(sam.hua)
Kaizhen, please update device/sprd and verify it is ok or not. Bug #325033 fix fuse /storage/sdcard0 option [bug number ] 325033 [root cause ] option wrong [changes ] fix option, 7730 by the way [side effects] none [self test ] ok [whether AOB ] no [reviewers ] james.zhang Change-Id: Iaaeabd422d3abd84ee5a6cb53395f49de0a6be6e Thanks!
Flags: needinfo?(kli)
Flags: needinfo?(sam.hua)
(In reply to sam.hua from comment #9) > Kaizhen, > please update device/sprd and verify it is ok or not. > Bug #325033 fix fuse /storage/sdcard0 option > [bug number ] 325033 > [root cause ] option wrong > [changes ] fix option, 7730 by the way > [side effects] none > [self test ] ok > [whether AOB ] no > [reviewers ] james.zhang > > Change-Id: Iaaeabd422d3abd84ee5a6cb53395f49de0a6be6e Sam, I think this commit is not related. Could you check and confirm again?
Flags: needinfo?(kli)
This attachment contains the Linux kernel patches for CVE-2014-3153 from the 3.4 branch of the Android kernel/goldfish ("goldfish" means the emulator) repo. It applies cleanly (with git-am) to Mozilla's kernel branches for Flame (JB), Nexus 4 (KK), and Nexus 5 (KK). I can file pull requests (and rebuild the binaries for N4/N5) unless there's some reason not to. Note that it will be entirely obvious which bug is being fixed, but I assume that anyone who cares has already noticed our lack of those patches.
Attachment #8467552 - Attachment mime type: application/mbox → text/plain
This is Chromium's patch to their sandbox, blacklisting a specific futex operation to mitigate the vulnerability.
Summary: CVE-2014-3153 - Allow root access → CVE-2014-3153 - Local root vulnerability in Linux kernel futex(2) implementation
Comment on attachment 8467553 [details] [diff] [review] cve-2014-3153-chromium.diff Review of attachment 8467553 [details] [diff] [review]: ----------------------------------------------------------------- ::: sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc @@ +251,5 @@ > > +ErrorCode RestrictFutex(SandboxBPF* sandbox) { > + // In futex.c, the kernel does "int cmd = op & FUTEX_CMD_MASK;". We need to > + // make sure that the combination below will cover every way to get > + // FUTEX_CMP_REQUEUE_PI. I'm not convinced this is enough — judging by the kernel patch labeled "Fixes CVE-2014-3153", mmapping something at multiple addresses and using FUTEX_WAIT_REQUEUE_PI with two distinct virtual addresses that alias could have the same effect. There are also the other futex patches, where inconsistencies can be created through misuse of other operations on priority-inheriting futexes (and only PI futexes, it looks like). These may or may not be exploitable, but Bionic doesn't (currently) support priority-inheritance locks in its pthreads implementation. But the question is: are there any phones that (1) support seccomp-bpf, (2) would be getting an updated Gecko from the 34 branch, and (3) won't get the kernel fixes as well?
Comment on attachment 8468081 [details] [review] GitHub PR for applying fixes to JB Flame kernel source. Looks good to me. The 4 patches also appear to be identical to the ones posted here: https://bugzilla.redhat.com/show_bug.cgi?id=1103626#c11 (I figured validating against the official linux kernel tree was prudent)
Attachment #8468081 - Flags: review?(dhylands) → review+
As always I'm not sure how much a "review" for binaries makes sense, but the Nexuses use prebuilt kernels, so I have to send PRs for them.
Attachment #8468143 - Flags: review?(dhylands)
Comment on attachment 8468143 [details] [review] GitHub PR for updating prebuilt Nexus 5 kernel. I'm fine with this, but this feels like something I'd rather have mwu make sure is fine as well.
Attachment #8468143 - Flags: review?(mwu)
Attachment #8468143 - Flags: review?(dhylands)
Attachment #8468143 - Flags: review+
Comment on attachment 8468142 [details] [review] GitHub PR for applying fixes to Nexus 5 kernel source. I'll go out o a limb here and say r+ for any further patches like this one where the patch is the same.
Attachment #8468142 - Flags: review?(dhylands) → review+
Comment on attachment 8468143 [details] [review] GitHub PR for updating prebuilt Nexus 5 kernel. Sure why not.
Attachment #8468143 - Flags: review?(mwu) → review+
Comment on attachment 8468176 [details] [review] GitHub PR for updating prebuilt Nexus 4 KK kernel. rs=mwu via IRC. https://github.com/mozilla-b2g/device_lge_mako-kernel/commit/19853a0af150394b4fdce06cbc7fb9e11b5c3d9d
Attachment #8468176 - Flags: review?(mwu) → review+
Group: core-security → b2g-core-security
FirefoxOS is no longer under active development.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INCOMPLETE
Group: b2g-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: