fs: CVE-2015-3339

Fixes race condition between chown() and execve() system calls in the References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3339 http://seclists.org/oss-sec/2015/q2/216 Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/patch /?id=5176b77f1aacdc560eaeac4685ade444bb814689 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Zhenhua Luo <zhenhua.luo@nxp.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2015-12-15 13:57:33 +0100
committer: Zhenhua Luo <zhenhua.luo@nxp.com> 2015-12-21 13:56:36 +0800
commit: 7574130137f72567fc1294be425b28a33f29cf71 (patch)
tree: c4e9825fa367fde4973f2ec44bc0aaca225ae485
parent: 386c14696530aa137f662c19383f702b05b578ee (diff)
download: meta-fsl-ppc-7574130137f72567fc1294be425b28a33f29cf71.tar.gz
2 files changed, 128 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/fs-CVE-2015-3339.patch b/recipes-kernel/linux/files/fs-CVE-2015-3339.patch
new file mode 100644
index 0000000..732f009
--- /dev/null
+++ b/recipes-kernel/linux/files/fs-CVE-2015-3339.patch
@@ -0,0 +1,127 @@
+From 5176b77f1aacdc560eaeac4685ade444bb814689 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jann@thejh.net>
+Date: Sun, 19 Apr 2015 02:48:39 +0200
+Subject: fs: take i_mutex during prepare_binprm for set[ug]id executables
+commit 8b01fc86b9f425899f8a3a8fc1c47d73c2c20543 upstream.
+This prevents a race between chown() and execve(), where chowning a
+setuid-user binary to root would momentarily make the binary setuid
+root.
+This patch was mostly written by Linus Torvalds.
+Fixes CVE-2015-3339.
+Upstream-Status: Backport
+Signed-off-by: Jann Horn <jann@thejh.net>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Charles Williams <ciwillia@brocade.com>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ fs/exec.c | 76 ++++++++++++++++++++++++++++++++++++++++-----------------------
+ 1 file changed, 48 insertions(+), 28 deletions(-)
+diff --git a/fs/exec.c b/fs/exec.c
+index 26bb91b..d8b46a1 100644
+--- a/fs/exec.c
+++ b/fs/exec.c
+@@ -1272,6 +1272,53 @@ static int check_unsafe_exec(struct linux_binprm *bprm)
+        return res;
+ }
+ 
+static void bprm_fill_uid(struct linux_binprm *bprm)
+{
+       struct inode *inode;
+       unsigned int mode;
+       kuid_t uid;
+       kgid_t gid;
+
+       /* clear any previous set[ug]id data from a previous binary */
+       bprm->cred->euid = current_euid();
+       bprm->cred->egid = current_egid();
+
+       if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
+               return;
+
+       if (current->no_new_privs)
+               return;
+
+       inode = file_inode(bprm->file);
+       mode = ACCESS_ONCE(inode->i_mode);
+       if (!(mode & (S_ISUID|S_ISGID)))
+               return;
+
+       /* Be careful if suid/sgid is set */
+       mutex_lock(&inode->i_mutex);
+
+       /* reload atomically mode/uid/gid now that lock held */
+       mode = inode->i_mode;
+       uid = inode->i_uid;
+       gid = inode->i_gid;
+       mutex_unlock(&inode->i_mutex);
+
+       /* We ignore suid/sgid if there are no mappings for them in the ns */
+       if (!kuid_has_mapping(bprm->cred->user_ns, uid) ||
+                !kgid_has_mapping(bprm->cred->user_ns, gid))
+               return;
+
+       if (mode & S_ISUID) {
+               bprm->per_clear |= PER_CLEAR_ON_SETID;
+               bprm->cred->euid = uid;
+       }
+
+       if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
+               bprm->per_clear |= PER_CLEAR_ON_SETID;
+               bprm->cred->egid = gid;
+       }
+}
+
+ /* 
+  * Fill the binprm structure from the inode. 
+  * Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes
+@@ -1280,39 +1327,12 @@ static int check_unsafe_exec(struct linux_binprm *bprm)
+  */
+ int prepare_binprm(struct linux_binprm *bprm)
+ {
+-       umode_t mode;
+-       struct inode * inode = file_inode(bprm->file);
+        int retval;
+ 
+-       mode = inode->i_mode;
+        if (bprm->file->f_op == NULL)
+                return -EACCES;
+ 
+-       /* clear any previous set[ug]id data from a previous binary */
+-       bprm->cred->euid = current_euid();
+-       bprm->cred->egid = current_egid();
+-
+-       if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) &&
+-           !current->no_new_privs &&
+-           kuid_has_mapping(bprm->cred->user_ns, inode->i_uid) &&
+-           kgid_has_mapping(bprm->cred->user_ns, inode->i_gid)) {
+-               /* Set-uid? */
+-               if (mode & S_ISUID) {
+-                       bprm->per_clear |= PER_CLEAR_ON_SETID;
+-                       bprm->cred->euid = inode->i_uid;
+-               }
+-
+-               /* Set-gid? */
+-               /*
+-                * If setgid is set but no group execute bit then this
+-                * is a candidate for mandatory locking, not a setgid
+-                * executable.
+-                */
+-               if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
+-                       bprm->per_clear |= PER_CLEAR_ON_SETID;
+-                       bprm->cred->egid = inode->i_gid;
+-               }
+-       }
+       bprm_fill_uid(bprm);
+ 
+        /* fill in binprm security blob */
+        retval = security_bprm_set_creds(bprm);
+-- 
+1.9.1
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb
index 4a2ea43..fed0591 100644
--- a/recipes-kernel/linux/linux-qoriq_3.12.bb
+++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -37,6 +37,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
    file://media-ttusb-dec-CVE-2014-8884.patch \
    file://net-sctp-CVE-2015-1421.patch \
    file://net-CVE-2015-2041.patch \
+    file://fs-CVE-2015-3339.patch \
 "
 SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2015-12-15 13:57:33 +0100
committer	Zhenhua Luo <zhenhua.luo@nxp.com>	2015-12-21 13:56:36 +0800
commit	7574130137f72567fc1294be425b28a33f29cf71 (patch)
tree	c4e9825fa367fde4973f2ec44bc0aaca225ae485
parent	386c14696530aa137f662c19383f702b05b578ee (diff)
download	meta-fsl-ppc-7574130137f72567fc1294be425b28a33f29cf71.tar.gz

diff --git a/recipes-kernel/linux/files/fs-CVE-2015-3339.patch b/recipes-kernel/linux/files/fs-CVE-2015-3339.patch new file mode 100644 index 0000000..732f009 --- /dev/null +++ b/recipes-kernel/linux/files/fs-CVE-2015-3339.patch
@@ -0,0 +1,127 @@
		1	From 5176b77f1aacdc560eaeac4685ade444bb814689 Mon Sep 17 00:00:00 2001
		2	From: Jann Horn <jann@thejh.net>
		3	Date: Sun, 19 Apr 2015 02:48:39 +0200
		4	Subject: fs: take i_mutex during prepare_binprm for set[ug]id executables
		5
		6	commit 8b01fc86b9f425899f8a3a8fc1c47d73c2c20543 upstream.
		7
		8	This prevents a race between chown() and execve(), where chowning a
		9	setuid-user binary to root would momentarily make the binary setuid
		10	root.
		11
		12	This patch was mostly written by Linus Torvalds.
		13
		14	Fixes CVE-2015-3339.
		15	Upstream-Status: Backport
		16
		17	Signed-off-by: Jann Horn <jann@thejh.net>
		18	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
		19	Signed-off-by: Charles Williams <ciwillia@brocade.com>
		20	Signed-off-by: Jiri Slaby <jslaby@suse.cz>
		21	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		22	---
		23	fs/exec.c \| 76 ++++++++++++++++++++++++++++++++++++++++-----------------------
		24	1 file changed, 48 insertions(+), 28 deletions(-)
		25
		26	diff --git a/fs/exec.c b/fs/exec.c
		27	index 26bb91b..d8b46a1 100644
		28	--- a/fs/exec.c
		29	+++ b/fs/exec.c
		30	@@ -1272,6 +1272,53 @@ static int check_unsafe_exec(struct linux_binprm *bprm)
		31	return res;
		32	}
		33
		34	+static void bprm_fill_uid(struct linux_binprm *bprm)
		35	+{
		36	+ struct inode *inode;
		37	+ unsigned int mode;
		38	+ kuid_t uid;
		39	+ kgid_t gid;
		40	+
		41	+ /* clear any previous set[ug]id data from a previous binary */
		42	+ bprm->cred->euid = current_euid();
		43	+ bprm->cred->egid = current_egid();
		44	+
		45	+ if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
		46	+ return;
		47	+
		48	+ if (current->no_new_privs)
		49	+ return;
		50	+
		51	+ inode = file_inode(bprm->file);
		52	+ mode = ACCESS_ONCE(inode->i_mode);
		53	+ if (!(mode & (S_ISUID\|S_ISGID)))
		54	+ return;
		55	+
		56	+ /* Be careful if suid/sgid is set */
		57	+ mutex_lock(&inode->i_mutex);
		58	+
		59	+ /* reload atomically mode/uid/gid now that lock held */
		60	+ mode = inode->i_mode;
		61	+ uid = inode->i_uid;
		62	+ gid = inode->i_gid;
		63	+ mutex_unlock(&inode->i_mutex);
		64	+
		65	+ /* We ignore suid/sgid if there are no mappings for them in the ns */
		66	+ if (!kuid_has_mapping(bprm->cred->user_ns, uid) \|\|
		67	+ !kgid_has_mapping(bprm->cred->user_ns, gid))
		68	+ return;
		69	+
		70	+ if (mode & S_ISUID) {
		71	+ bprm->per_clear \|= PER_CLEAR_ON_SETID;
		72	+ bprm->cred->euid = uid;
		73	+ }
		74	+
		75	+ if ((mode & (S_ISGID \| S_IXGRP)) == (S_ISGID \| S_IXGRP)) {
		76	+ bprm->per_clear \|= PER_CLEAR_ON_SETID;
		77	+ bprm->cred->egid = gid;
		78	+ }
		79	+}
		80	+
		81	/*
		82	* Fill the binprm structure from the inode.
		83	* Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes
		84	@@ -1280,39 +1327,12 @@ static int check_unsafe_exec(struct linux_binprm *bprm)
		85	*/
		86	int prepare_binprm(struct linux_binprm *bprm)
		87	{
		88	- umode_t mode;
		89	- struct inode * inode = file_inode(bprm->file);
		90	int retval;
		91
		92	- mode = inode->i_mode;
		93	if (bprm->file->f_op == NULL)
		94	return -EACCES;
		95
		96	- /* clear any previous set[ug]id data from a previous binary */
		97	- bprm->cred->euid = current_euid();
		98	- bprm->cred->egid = current_egid();
		99	-
		100	- if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) &&
		101	- !current->no_new_privs &&
		102	- kuid_has_mapping(bprm->cred->user_ns, inode->i_uid) &&
		103	- kgid_has_mapping(bprm->cred->user_ns, inode->i_gid)) {
		104	- /* Set-uid? */
		105	- if (mode & S_ISUID) {
		106	- bprm->per_clear \|= PER_CLEAR_ON_SETID;
		107	- bprm->cred->euid = inode->i_uid;
		108	- }
		109	-
		110	- /* Set-gid? */
		111	- /*
		112	- * If setgid is set but no group execute bit then this
		113	- * is a candidate for mandatory locking, not a setgid
		114	- * executable.
		115	- */
		116	- if ((mode & (S_ISGID \| S_IXGRP)) == (S_ISGID \| S_IXGRP)) {
		117	- bprm->per_clear \|= PER_CLEAR_ON_SETID;
		118	- bprm->cred->egid = inode->i_gid;
		119	- }
		120	- }
		121	+ bprm_fill_uid(bprm);
		122
		123	/* fill in binprm security blob */
		124	retval = security_bprm_set_creds(bprm);
		125	--
		126	1.9.1
		127


diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb index 4a2ea43..fed0591 100644 --- a/recipes-kernel/linux/linux-qoriq_3.12.bb +++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -37,6 +37,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
37	file://media-ttusb-dec-CVE-2014-8884.patch \	37	file://media-ttusb-dec-CVE-2014-8884.patch \
38	file://net-sctp-CVE-2015-1421.patch \	38	file://net-sctp-CVE-2015-1421.patch \
39	file://net-CVE-2015-2041.patch \	39	file://net-CVE-2015-2041.patch \
		40	file://fs-CVE-2015-3339.patch \
40	"	41	"
41	SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"	42	SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
42		43