summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2016-01-28 13:32:12 (GMT)
committerPaul Vaduva <Paul.Vaduva@enea.com>2016-01-28 13:36:21 (GMT)
commit227e772457791f69b69646556b3ffbbb94936bd0 (patch)
treed1071ed7a3979a0e5e42efe8d06ead100d09eb79
parentfebcbabc2e4d859a3caf7808ceda68c956da652f (diff)
downloadmeta-hierofalcon-227e772457791f69b69646556b3ffbbb94936bd0.tar.gz
ipc: CVE-2015-7613
Fixes a race condition flaw in the Linux kernel's IPC subsystem. Reference to the upstream patch: https://github.com/torvalds/linux/commit/b9a532277938 http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/ commit/?id=b9a532277938798b53178d5a66af6e2915cb27cf Other external references: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7613 http://seclists.org/oss-sec/2015/q4/7 http://www.openwall.com/lists/oss-security/2015/10/01/8 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Paul Vaduva <Paul.Vaduva@enea.com>
-rw-r--r--recipes-kernel/linux/linux-hierofalcon-3.19/ipc-CVE-2015-7613.patch124
-rw-r--r--recipes-kernel/linux/linux-hierofalcon-4.1/ipc-CVE-2015-7613.patch123
-rw-r--r--recipes-kernel/linux/linux-hierofalcon_3.19.bb1
-rw-r--r--recipes-kernel/linux/linux-hierofalcon_4.1.bb1
4 files changed, 249 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-hierofalcon-3.19/ipc-CVE-2015-7613.patch b/recipes-kernel/linux/linux-hierofalcon-3.19/ipc-CVE-2015-7613.patch
new file mode 100644
index 0000000..e9b94ad
--- /dev/null
+++ b/recipes-kernel/linux/linux-hierofalcon-3.19/ipc-CVE-2015-7613.patch
@@ -0,0 +1,124 @@
1From b5495ddce4659122180b5fee6fc52dc5196e0918 Mon Sep 17 00:00:00 2001
2From: Linus Torvalds <torvalds@linux-foundation.org>
3Date: Wed, 30 Sep 2015 12:48:40 -0400
4Subject: Initialize msg/shm IPC objects before doing ipc_addid()
5
6[ Upstream commit b9a532277938798b53178d5a66af6e2915cb27cf ]
7
8As reported by Dmitry Vyukov, we really shouldn't do ipc_addid() before
9having initialized the IPC object state. Yes, we initialize the IPC
10object in a locked state, but with all the lockless RCU lookup work,
11that IPC object lock no longer means that the state cannot be seen.
12
13We already did this for the IPC semaphore code (see commit e8577d1f0329:
14"ipc/sem.c: fully initialize sem_array before making it visible") but we
15clearly forgot about msg and shm.
16
17Fixes CVE-2015-7613.
18Upstream-Status: Backport
19
20Reported-by: Dmitry Vyukov <dvyukov@google.com>
21Cc: Manfred Spraul <manfred@colorfullife.com>
22Cc: Davidlohr Bueso <dbueso@suse.de>
23Cc: stable@vger.kernel.org
24Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
25Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
26Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
27---
28 ipc/msg.c | 14 +++++++-------
29 ipc/shm.c | 13 +++++++------
30 ipc/util.c | 8 ++++----
31 3 files changed, 18 insertions(+), 17 deletions(-)
32
33diff --git a/ipc/msg.c b/ipc/msg.c
34index c5d8e37..cfc8b38 100644
35--- a/ipc/msg.c
36+++ b/ipc/msg.c
37@@ -137,13 +137,6 @@ static int newque(struct ipc_namespace *ns, struct ipc_params *params)
38 return retval;
39 }
40
41- /* ipc_addid() locks msq upon success. */
42- id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni);
43- if (id < 0) {
44- ipc_rcu_putref(msq, msg_rcu_free);
45- return id;
46- }
47-
48 msq->q_stime = msq->q_rtime = 0;
49 msq->q_ctime = get_seconds();
50 msq->q_cbytes = msq->q_qnum = 0;
51@@ -153,6 +146,13 @@ static int newque(struct ipc_namespace *ns, struct ipc_params *params)
52 INIT_LIST_HEAD(&msq->q_receivers);
53 INIT_LIST_HEAD(&msq->q_senders);
54
55+ /* ipc_addid() locks msq upon success. */
56+ id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni);
57+ if (id < 0) {
58+ ipc_rcu_putref(msq, msg_rcu_free);
59+ return id;
60+ }
61+
62 ipc_unlock_object(&msq->q_perm);
63 rcu_read_unlock();
64
65diff --git a/ipc/shm.c b/ipc/shm.c
66index 0145479..2511771 100644
67--- a/ipc/shm.c
68+++ b/ipc/shm.c
69@@ -549,12 +549,6 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
70 if (IS_ERR(file))
71 goto no_file;
72
73- id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni);
74- if (id < 0) {
75- error = id;
76- goto no_id;
77- }
78-
79 shp->shm_cprid = task_tgid_vnr(current);
80 shp->shm_lprid = 0;
81 shp->shm_atim = shp->shm_dtim = 0;
82@@ -563,6 +557,13 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
83 shp->shm_nattch = 0;
84 shp->shm_file = file;
85 shp->shm_creator = current;
86+
87+ id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni);
88+ if (id < 0) {
89+ error = id;
90+ goto no_id;
91+ }
92+
93 list_add(&shp->shm_clist, &current->sysvshm.shm_clist);
94
95 /*
96diff --git a/ipc/util.c b/ipc/util.c
97index 88adc32..bc72cbf 100644
98--- a/ipc/util.c
99+++ b/ipc/util.c
100@@ -277,6 +277,10 @@ int ipc_addid(struct ipc_ids *ids, struct kern_ipc_perm *new, int size)
101 rcu_read_lock();
102 spin_lock(&new->lock);
103
104+ current_euid_egid(&euid, &egid);
105+ new->cuid = new->uid = euid;
106+ new->gid = new->cgid = egid;
107+
108 id = idr_alloc(&ids->ipcs_idr, new,
109 (next_id < 0) ? 0 : ipcid_to_idx(next_id), 0,
110 GFP_NOWAIT);
111@@ -289,10 +293,6 @@ int ipc_addid(struct ipc_ids *ids, struct kern_ipc_perm *new, int size)
112
113 ids->in_use++;
114
115- current_euid_egid(&euid, &egid);
116- new->cuid = new->uid = euid;
117- new->gid = new->cgid = egid;
118-
119 if (next_id < 0) {
120 new->seq = ids->seq++;
121 if (ids->seq > IPCID_SEQ_MAX)
122--
123cgit v0.12
124
diff --git a/recipes-kernel/linux/linux-hierofalcon-4.1/ipc-CVE-2015-7613.patch b/recipes-kernel/linux/linux-hierofalcon-4.1/ipc-CVE-2015-7613.patch
new file mode 100644
index 0000000..28ce612
--- /dev/null
+++ b/recipes-kernel/linux/linux-hierofalcon-4.1/ipc-CVE-2015-7613.patch
@@ -0,0 +1,123 @@
1From 7983297d99ea11152a76420d4325f5d1925e2547 Mon Sep 17 00:00:00 2001
2From: Linus Torvalds <torvalds@linux-foundation.org>
3Date: Wed, 30 Sep 2015 12:48:40 -0400
4Subject: Initialize msg/shm IPC objects before doing ipc_addid()
5
6commit b9a532277938798b53178d5a66af6e2915cb27cf upstream.
7
8As reported by Dmitry Vyukov, we really shouldn't do ipc_addid() before
9having initialized the IPC object state. Yes, we initialize the IPC
10object in a locked state, but with all the lockless RCU lookup work,
11that IPC object lock no longer means that the state cannot be seen.
12
13We already did this for the IPC semaphore code (see commit e8577d1f0329:
14"ipc/sem.c: fully initialize sem_array before making it visible") but we
15clearly forgot about msg and shm.
16
17Fixes CVE-2015-7613.
18Upstream-Status: Backport
19
20Reported-by: Dmitry Vyukov <dvyukov@google.com>
21Cc: Manfred Spraul <manfred@colorfullife.com>
22Cc: Davidlohr Bueso <dbueso@suse.de>
23Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
24Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
25Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
26---
27 ipc/msg.c | 14 +++++++-------
28 ipc/shm.c | 13 +++++++------
29 ipc/util.c | 8 ++++----
30 3 files changed, 18 insertions(+), 17 deletions(-)
31
32diff --git a/ipc/msg.c b/ipc/msg.c
33index 2b6fdbb..6525406 100644
34--- a/ipc/msg.c
35+++ b/ipc/msg.c
36@@ -137,13 +137,6 @@ static int newque(struct ipc_namespace *ns, struct ipc_params *params)
37 return retval;
38 }
39
40- /* ipc_addid() locks msq upon success. */
41- id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni);
42- if (id < 0) {
43- ipc_rcu_putref(msq, msg_rcu_free);
44- return id;
45- }
46-
47 msq->q_stime = msq->q_rtime = 0;
48 msq->q_ctime = get_seconds();
49 msq->q_cbytes = msq->q_qnum = 0;
50@@ -153,6 +146,13 @@ static int newque(struct ipc_namespace *ns, struct ipc_params *params)
51 INIT_LIST_HEAD(&msq->q_receivers);
52 INIT_LIST_HEAD(&msq->q_senders);
53
54+ /* ipc_addid() locks msq upon success. */
55+ id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni);
56+ if (id < 0) {
57+ ipc_rcu_putref(msq, msg_rcu_free);
58+ return id;
59+ }
60+
61 ipc_unlock_object(&msq->q_perm);
62 rcu_read_unlock();
63
64diff --git a/ipc/shm.c b/ipc/shm.c
65index 6d76707..499a8bd 100644
66--- a/ipc/shm.c
67+++ b/ipc/shm.c
68@@ -550,12 +550,6 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
69 if (IS_ERR(file))
70 goto no_file;
71
72- id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni);
73- if (id < 0) {
74- error = id;
75- goto no_id;
76- }
77-
78 shp->shm_cprid = task_tgid_vnr(current);
79 shp->shm_lprid = 0;
80 shp->shm_atim = shp->shm_dtim = 0;
81@@ -564,6 +558,13 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
82 shp->shm_nattch = 0;
83 shp->shm_file = file;
84 shp->shm_creator = current;
85+
86+ id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni);
87+ if (id < 0) {
88+ error = id;
89+ goto no_id;
90+ }
91+
92 list_add(&shp->shm_clist, &current->sysvshm.shm_clist);
93
94 /*
95diff --git a/ipc/util.c b/ipc/util.c
96index ff3323e..c917e9f 100644
97--- a/ipc/util.c
98+++ b/ipc/util.c
99@@ -237,6 +237,10 @@ int ipc_addid(struct ipc_ids *ids, struct kern_ipc_perm *new, int size)
100 rcu_read_lock();
101 spin_lock(&new->lock);
102
103+ current_euid_egid(&euid, &egid);
104+ new->cuid = new->uid = euid;
105+ new->gid = new->cgid = egid;
106+
107 id = idr_alloc(&ids->ipcs_idr, new,
108 (next_id < 0) ? 0 : ipcid_to_idx(next_id), 0,
109 GFP_NOWAIT);
110@@ -249,10 +253,6 @@ int ipc_addid(struct ipc_ids *ids, struct kern_ipc_perm *new, int size)
111
112 ids->in_use++;
113
114- current_euid_egid(&euid, &egid);
115- new->cuid = new->uid = euid;
116- new->gid = new->cgid = egid;
117-
118 if (next_id < 0) {
119 new->seq = ids->seq++;
120 if (ids->seq > IPCID_SEQ_MAX)
121--
122cgit v0.12
123
diff --git a/recipes-kernel/linux/linux-hierofalcon_3.19.bb b/recipes-kernel/linux/linux-hierofalcon_3.19.bb
index eceb03c..5b3bd5e 100644
--- a/recipes-kernel/linux/linux-hierofalcon_3.19.bb
+++ b/recipes-kernel/linux/linux-hierofalcon_3.19.bb
@@ -32,6 +32,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-3.19;branch="standard/qemuarm6
32 file://vfs-CVE-2015-2925.patch \ 32 file://vfs-CVE-2015-2925.patch \
33 file://dcache-CVE-2015-2925.patch \ 33 file://dcache-CVE-2015-2925.patch \
34 file://virtio-net-CVE-2015-5156.patch \ 34 file://virtio-net-CVE-2015-5156.patch \
35 file://ipc-CVE-2015-7613.patch \
35 " 36 "
36 37
37S = "${WORKDIR}/git" 38S = "${WORKDIR}/git"
diff --git a/recipes-kernel/linux/linux-hierofalcon_4.1.bb b/recipes-kernel/linux/linux-hierofalcon_4.1.bb
index c67b8a6..85ded8c 100644
--- a/recipes-kernel/linux/linux-hierofalcon_4.1.bb
+++ b/recipes-kernel/linux/linux-hierofalcon_4.1.bb
@@ -31,6 +31,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-4.1;branch="standard/qemuarm64
31 file://vfs-CVE-2015-2925.patch \ 31 file://vfs-CVE-2015-2925.patch \
32 file://dcache-CVE-2015-2925.patch \ 32 file://dcache-CVE-2015-2925.patch \
33 file://virtio-net-CVE-2015-5156.patch \ 33 file://virtio-net-CVE-2015-5156.patch \
34 file://ipc-CVE-2015-7613.patch \
34 " 35 "
35 36
36S = "${WORKDIR}/git" 37S = "${WORKDIR}/git"