diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2015-12-15 13:57:33 +0100 |
---|---|---|
committer | Zhenhua Luo <zhenhua.luo@nxp.com> | 2015-12-21 13:56:36 +0800 |
commit | 7574130137f72567fc1294be425b28a33f29cf71 (patch) | |
tree | c4e9825fa367fde4973f2ec44bc0aaca225ae485 | |
parent | 386c14696530aa137f662c19383f702b05b578ee (diff) | |
download | meta-fsl-ppc-7574130137f72567fc1294be425b28a33f29cf71.tar.gz |
fs: CVE-2015-3339
Fixes race condition between chown() and execve() system calls in the
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3339
http://seclists.org/oss-sec/2015/q2/216
Upstream fix:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/patch
/?id=5176b77f1aacdc560eaeac4685ade444bb814689
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Zhenhua Luo <zhenhua.luo@nxp.com>
-rw-r--r-- | recipes-kernel/linux/files/fs-CVE-2015-3339.patch | 127 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-qoriq_3.12.bb | 1 |
2 files changed, 128 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/fs-CVE-2015-3339.patch b/recipes-kernel/linux/files/fs-CVE-2015-3339.patch new file mode 100644 index 0000000..732f009 --- /dev/null +++ b/recipes-kernel/linux/files/fs-CVE-2015-3339.patch | |||
@@ -0,0 +1,127 @@ | |||
1 | From 5176b77f1aacdc560eaeac4685ade444bb814689 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jann Horn <jann@thejh.net> | ||
3 | Date: Sun, 19 Apr 2015 02:48:39 +0200 | ||
4 | Subject: fs: take i_mutex during prepare_binprm for set[ug]id executables | ||
5 | |||
6 | commit 8b01fc86b9f425899f8a3a8fc1c47d73c2c20543 upstream. | ||
7 | |||
8 | This prevents a race between chown() and execve(), where chowning a | ||
9 | setuid-user binary to root would momentarily make the binary setuid | ||
10 | root. | ||
11 | |||
12 | This patch was mostly written by Linus Torvalds. | ||
13 | |||
14 | Fixes CVE-2015-3339. | ||
15 | Upstream-Status: Backport | ||
16 | |||
17 | Signed-off-by: Jann Horn <jann@thejh.net> | ||
18 | Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> | ||
19 | Signed-off-by: Charles Williams <ciwillia@brocade.com> | ||
20 | Signed-off-by: Jiri Slaby <jslaby@suse.cz> | ||
21 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
22 | --- | ||
23 | fs/exec.c | 76 ++++++++++++++++++++++++++++++++++++++++----------------------- | ||
24 | 1 file changed, 48 insertions(+), 28 deletions(-) | ||
25 | |||
26 | diff --git a/fs/exec.c b/fs/exec.c | ||
27 | index 26bb91b..d8b46a1 100644 | ||
28 | --- a/fs/exec.c | ||
29 | +++ b/fs/exec.c | ||
30 | @@ -1272,6 +1272,53 @@ static int check_unsafe_exec(struct linux_binprm *bprm) | ||
31 | return res; | ||
32 | } | ||
33 | |||
34 | +static void bprm_fill_uid(struct linux_binprm *bprm) | ||
35 | +{ | ||
36 | + struct inode *inode; | ||
37 | + unsigned int mode; | ||
38 | + kuid_t uid; | ||
39 | + kgid_t gid; | ||
40 | + | ||
41 | + /* clear any previous set[ug]id data from a previous binary */ | ||
42 | + bprm->cred->euid = current_euid(); | ||
43 | + bprm->cred->egid = current_egid(); | ||
44 | + | ||
45 | + if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) | ||
46 | + return; | ||
47 | + | ||
48 | + if (current->no_new_privs) | ||
49 | + return; | ||
50 | + | ||
51 | + inode = file_inode(bprm->file); | ||
52 | + mode = ACCESS_ONCE(inode->i_mode); | ||
53 | + if (!(mode & (S_ISUID|S_ISGID))) | ||
54 | + return; | ||
55 | + | ||
56 | + /* Be careful if suid/sgid is set */ | ||
57 | + mutex_lock(&inode->i_mutex); | ||
58 | + | ||
59 | + /* reload atomically mode/uid/gid now that lock held */ | ||
60 | + mode = inode->i_mode; | ||
61 | + uid = inode->i_uid; | ||
62 | + gid = inode->i_gid; | ||
63 | + mutex_unlock(&inode->i_mutex); | ||
64 | + | ||
65 | + /* We ignore suid/sgid if there are no mappings for them in the ns */ | ||
66 | + if (!kuid_has_mapping(bprm->cred->user_ns, uid) || | ||
67 | + !kgid_has_mapping(bprm->cred->user_ns, gid)) | ||
68 | + return; | ||
69 | + | ||
70 | + if (mode & S_ISUID) { | ||
71 | + bprm->per_clear |= PER_CLEAR_ON_SETID; | ||
72 | + bprm->cred->euid = uid; | ||
73 | + } | ||
74 | + | ||
75 | + if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) { | ||
76 | + bprm->per_clear |= PER_CLEAR_ON_SETID; | ||
77 | + bprm->cred->egid = gid; | ||
78 | + } | ||
79 | +} | ||
80 | + | ||
81 | /* | ||
82 | * Fill the binprm structure from the inode. | ||
83 | * Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes | ||
84 | @@ -1280,39 +1327,12 @@ static int check_unsafe_exec(struct linux_binprm *bprm) | ||
85 | */ | ||
86 | int prepare_binprm(struct linux_binprm *bprm) | ||
87 | { | ||
88 | - umode_t mode; | ||
89 | - struct inode * inode = file_inode(bprm->file); | ||
90 | int retval; | ||
91 | |||
92 | - mode = inode->i_mode; | ||
93 | if (bprm->file->f_op == NULL) | ||
94 | return -EACCES; | ||
95 | |||
96 | - /* clear any previous set[ug]id data from a previous binary */ | ||
97 | - bprm->cred->euid = current_euid(); | ||
98 | - bprm->cred->egid = current_egid(); | ||
99 | - | ||
100 | - if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) && | ||
101 | - !current->no_new_privs && | ||
102 | - kuid_has_mapping(bprm->cred->user_ns, inode->i_uid) && | ||
103 | - kgid_has_mapping(bprm->cred->user_ns, inode->i_gid)) { | ||
104 | - /* Set-uid? */ | ||
105 | - if (mode & S_ISUID) { | ||
106 | - bprm->per_clear |= PER_CLEAR_ON_SETID; | ||
107 | - bprm->cred->euid = inode->i_uid; | ||
108 | - } | ||
109 | - | ||
110 | - /* Set-gid? */ | ||
111 | - /* | ||
112 | - * If setgid is set but no group execute bit then this | ||
113 | - * is a candidate for mandatory locking, not a setgid | ||
114 | - * executable. | ||
115 | - */ | ||
116 | - if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) { | ||
117 | - bprm->per_clear |= PER_CLEAR_ON_SETID; | ||
118 | - bprm->cred->egid = inode->i_gid; | ||
119 | - } | ||
120 | - } | ||
121 | + bprm_fill_uid(bprm); | ||
122 | |||
123 | /* fill in binprm security blob */ | ||
124 | retval = security_bprm_set_creds(bprm); | ||
125 | -- | ||
126 | 1.9.1 | ||
127 | |||
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb index 4a2ea43..fed0591 100644 --- a/recipes-kernel/linux/linux-qoriq_3.12.bb +++ b/recipes-kernel/linux/linux-qoriq_3.12.bb | |||
@@ -37,6 +37,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \ | |||
37 | file://media-ttusb-dec-CVE-2014-8884.patch \ | 37 | file://media-ttusb-dec-CVE-2014-8884.patch \ |
38 | file://net-sctp-CVE-2015-1421.patch \ | 38 | file://net-sctp-CVE-2015-1421.patch \ |
39 | file://net-CVE-2015-2041.patch \ | 39 | file://net-CVE-2015-2041.patch \ |
40 | file://fs-CVE-2015-3339.patch \ | ||
40 | " | 41 | " |
41 | SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229" | 42 | SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229" |
42 | 43 | ||