diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2015-12-08 13:08:50 +0100 |
---|---|---|
committer | Sona Sarmadi <sona.sarmadi@enea.com> | 2015-12-11 10:25:49 +0100 |
commit | 6139644280195f8fb7d59b713f3d226a84b21665 (patch) | |
tree | 75bcbb7eccb436e3206c59d089e4824c3b3ff1e1 | |
parent | 989d7ad1335bf9473db75b94b58d7036619be5d0 (diff) | |
download | meta-enea-6139644280195f8fb7d59b713f3d226a84b21665.tar.gz |
linux-yocto: CVE-2015-3339
Fixes race condition between chown() and execve() system calls in the
linux-yocto 3.14 version.
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3339
http://seclists.org/oss-sec/2015/q2/216
Upstream fix:
ihttps://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
patch/?id=de70236fbe30749fb8c317088c16a97e700fe232
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
-rw-r--r-- | recipes-kernel/linux/files/fs-CVE-2015-3339.patch | 122 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-yocto_3.14.bbappend | 1 |
2 files changed, 123 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/fs-CVE-2015-3339.patch b/recipes-kernel/linux/files/fs-CVE-2015-3339.patch new file mode 100644 index 0000000..58d0f42 --- /dev/null +++ b/recipes-kernel/linux/files/fs-CVE-2015-3339.patch | |||
@@ -0,0 +1,122 @@ | |||
1 | Date: Sun, 19 Apr 2015 02:48:39 +0200 | ||
2 | Subject: fs: take i_mutex during prepare_binprm for set[ug]id executables | ||
3 | |||
4 | commit 8b01fc86b9f425899f8a3a8fc1c47d73c2c20543 upstream. | ||
5 | |||
6 | This prevents a race between chown() and execve(), where chowning a | ||
7 | setuid-user binary to root would momentarily make the binary setuid | ||
8 | root. | ||
9 | |||
10 | This patch was mostly written by Linus Torvalds. | ||
11 | |||
12 | Fixes CVE-2015-3339. | ||
13 | Upstream-Status: Backport | ||
14 | |||
15 | Signed-off-by: Jann Horn <jann@thejh.net> | ||
16 | Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> | ||
17 | Signed-off-by: Charles Williams <ciwillia@brocade.com> | ||
18 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
19 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
20 | --- | ||
21 | fs/exec.c | 76 ++++++++++++++++++++++++++++++++++++++++----------------------- | ||
22 | 1 file changed, 48 insertions(+), 28 deletions(-) | ||
23 | |||
24 | diff --git a/fs/exec.c b/fs/exec.c | ||
25 | index ea4449d..05f1942 100644 | ||
26 | --- a/fs/exec.c | ||
27 | +++ b/fs/exec.c | ||
28 | @@ -1268,6 +1268,53 @@ static void check_unsafe_exec(struct linux_binprm *bprm) | ||
29 | spin_unlock(&p->fs->lock); | ||
30 | } | ||
31 | |||
32 | +static void bprm_fill_uid(struct linux_binprm *bprm) | ||
33 | +{ | ||
34 | + struct inode *inode; | ||
35 | + unsigned int mode; | ||
36 | + kuid_t uid; | ||
37 | + kgid_t gid; | ||
38 | + | ||
39 | + /* clear any previous set[ug]id data from a previous binary */ | ||
40 | + bprm->cred->euid = current_euid(); | ||
41 | + bprm->cred->egid = current_egid(); | ||
42 | + | ||
43 | + if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) | ||
44 | + return; | ||
45 | + | ||
46 | + if (current->no_new_privs) | ||
47 | + return; | ||
48 | + | ||
49 | + inode = file_inode(bprm->file); | ||
50 | + mode = ACCESS_ONCE(inode->i_mode); | ||
51 | + if (!(mode & (S_ISUID|S_ISGID))) | ||
52 | + return; | ||
53 | + | ||
54 | + /* Be careful if suid/sgid is set */ | ||
55 | + mutex_lock(&inode->i_mutex); | ||
56 | + | ||
57 | + /* reload atomically mode/uid/gid now that lock held */ | ||
58 | + mode = inode->i_mode; | ||
59 | + uid = inode->i_uid; | ||
60 | + gid = inode->i_gid; | ||
61 | + mutex_unlock(&inode->i_mutex); | ||
62 | + | ||
63 | + /* We ignore suid/sgid if there are no mappings for them in the ns */ | ||
64 | + if (!kuid_has_mapping(bprm->cred->user_ns, uid) || | ||
65 | + !kgid_has_mapping(bprm->cred->user_ns, gid)) | ||
66 | + return; | ||
67 | + | ||
68 | + if (mode & S_ISUID) { | ||
69 | + bprm->per_clear |= PER_CLEAR_ON_SETID; | ||
70 | + bprm->cred->euid = uid; | ||
71 | + } | ||
72 | + | ||
73 | + if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) { | ||
74 | + bprm->per_clear |= PER_CLEAR_ON_SETID; | ||
75 | + bprm->cred->egid = gid; | ||
76 | + } | ||
77 | +} | ||
78 | + | ||
79 | /* | ||
80 | * Fill the binprm structure from the inode. | ||
81 | * Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes | ||
82 | @@ -1276,36 +1323,9 @@ static void check_unsafe_exec(struct linux_binprm *bprm) | ||
83 | */ | ||
84 | int prepare_binprm(struct linux_binprm *bprm) | ||
85 | { | ||
86 | - struct inode *inode = file_inode(bprm->file); | ||
87 | - umode_t mode = inode->i_mode; | ||
88 | int retval; | ||
89 | |||
90 | - | ||
91 | - /* clear any previous set[ug]id data from a previous binary */ | ||
92 | - bprm->cred->euid = current_euid(); | ||
93 | - bprm->cred->egid = current_egid(); | ||
94 | - | ||
95 | - if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) && | ||
96 | - !current->no_new_privs && | ||
97 | - kuid_has_mapping(bprm->cred->user_ns, inode->i_uid) && | ||
98 | - kgid_has_mapping(bprm->cred->user_ns, inode->i_gid)) { | ||
99 | - /* Set-uid? */ | ||
100 | - if (mode & S_ISUID) { | ||
101 | - bprm->per_clear |= PER_CLEAR_ON_SETID; | ||
102 | - bprm->cred->euid = inode->i_uid; | ||
103 | - } | ||
104 | - | ||
105 | - /* Set-gid? */ | ||
106 | - /* | ||
107 | - * If setgid is set but no group execute bit then this | ||
108 | - * is a candidate for mandatory locking, not a setgid | ||
109 | - * executable. | ||
110 | - */ | ||
111 | - if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) { | ||
112 | - bprm->per_clear |= PER_CLEAR_ON_SETID; | ||
113 | - bprm->cred->egid = inode->i_gid; | ||
114 | - } | ||
115 | - } | ||
116 | + bprm_fill_uid(bprm); | ||
117 | |||
118 | /* fill in binprm security blob */ | ||
119 | retval = security_bprm_set_creds(bprm); | ||
120 | -- | ||
121 | cgit v0.11.2 | ||
122 | |||
diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend index a10743c..001026f 100644 --- a/recipes-kernel/linux/linux-yocto_3.14.bbappend +++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend | |||
@@ -6,4 +6,5 @@ SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-d | |||
6 | file://net-CVE-2015-2041.patch \ | 6 | file://net-CVE-2015-2041.patch \ |
7 | file://IB-uverbs-CVE-2014-8159.patch \ | 7 | file://IB-uverbs-CVE-2014-8159.patch \ |
8 | file://net-sctp-CVE-2015-1421.patch \ | 8 | file://net-sctp-CVE-2015-1421.patch \ |
9 | file://fs-CVE-2015-3339.patch \ | ||
9 | " | 10 | " |