ipc: CVE-2015-7613

Fixes a race condition flaw in the Linux kernel's IPC subsystem.

Reference to the upstream patch:
https://github.com/torvalds/linux/commit/b9a532277938
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/
commit/?id=b9a532277938798b53178d5a66af6e2915cb27cf

Other external references:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7613
http://seclists.org/oss-sec/2015/q4/7
http://www.openwall.com/lists/oss-security/2015/10/01/8

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Paul Vaduva <Paul.Vaduva@enea.com>

1 files changed, 124 insertions, 0 deletions

diff --git a/recipes-kernel/linux/linux-hierofalcon-3.19/ipc-CVE-2015-7613.patch b/recipes-kernel/linux/linux-hierofalcon-3.19/ipc-CVE-2015-7613.patch
new file mode 100644
index 0000000..e9b94ad
--- /dev/null
+++ b/recipes-kernel/linux/linux-hierofalcon-3.19/ipc-CVE-2015-7613.patch
@@ -0,0 +1,124 @@
+From b5495ddce4659122180b5fee6fc52dc5196e0918 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Wed, 30 Sep 2015 12:48:40 -0400
+Subject: Initialize msg/shm IPC objects before doing ipc_addid()
+
+[ Upstream commit b9a532277938798b53178d5a66af6e2915cb27cf ]
+
+As reported by Dmitry Vyukov, we really shouldn't do ipc_addid() before
+having initialized the IPC object state.  Yes, we initialize the IPC
+object in a locked state, but with all the lockless RCU lookup work,
+that IPC object lock no longer means that the state cannot be seen.
+
+We already did this for the IPC semaphore code (see commit e8577d1f0329:
+"ipc/sem.c: fully initialize sem_array before making it visible") but we
+clearly forgot about msg and shm.
+
+Fixes CVE-2015-7613.
+Upstream-Status: Backport
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Cc: Manfred Spraul <manfred@colorfullife.com>
+Cc: Davidlohr Bueso <dbueso@suse.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ ipc/msg.c  | 14 +++++++-------
+ ipc/shm.c  | 13 +++++++------
+ ipc/util.c |  8 ++++----
+ 3 files changed, 18 insertions(+), 17 deletions(-)
+
+diff --git a/ipc/msg.c b/ipc/msg.c
+index c5d8e37..cfc8b38 100644
+--- a/ipc/msg.c
++++ b/ipc/msg.c
+@@ -137,13 +137,6 @@ static int newque(struct ipc_namespace *ns, struct ipc_params *params)
+                return retval;
+        }
+ 
+-       /* ipc_addid() locks msq upon success. */
+-       id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni);
+-       if (id < 0) {
+-               ipc_rcu_putref(msq, msg_rcu_free);
+-               return id;
+-       }
+-
+        msq->q_stime = msq->q_rtime = 0;
+        msq->q_ctime = get_seconds();
+        msq->q_cbytes = msq->q_qnum = 0;
+@@ -153,6 +146,13 @@ static int newque(struct ipc_namespace *ns, struct ipc_params *params)
+        INIT_LIST_HEAD(&msq->q_receivers);
+        INIT_LIST_HEAD(&msq->q_senders);
+ 
++       /* ipc_addid() locks msq upon success. */
++       id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni);
++       if (id < 0) {
++               ipc_rcu_putref(msq, msg_rcu_free);
++               return id;
++       }
++
+        ipc_unlock_object(&msq->q_perm);
+        rcu_read_unlock();
+ 
+diff --git a/ipc/shm.c b/ipc/shm.c
+index 0145479..2511771 100644
+--- a/ipc/shm.c
++++ b/ipc/shm.c
+@@ -549,12 +549,6 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
+        if (IS_ERR(file))
+                goto no_file;
+ 
+-       id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni);
+-       if (id < 0) {
+-               error = id;
+-               goto no_id;
+-       }
+-
+        shp->shm_cprid = task_tgid_vnr(current);
+        shp->shm_lprid = 0;
+        shp->shm_atim = shp->shm_dtim = 0;
+@@ -563,6 +557,13 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
+        shp->shm_nattch = 0;
+        shp->shm_file = file;
+        shp->shm_creator = current;
++
++       id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni);
++       if (id < 0) {
++               error = id;
++               goto no_id;
++       }
++
+        list_add(&shp->shm_clist, &current->sysvshm.shm_clist);
+ 
+        /*
+diff --git a/ipc/util.c b/ipc/util.c
+index 88adc32..bc72cbf 100644
+--- a/ipc/util.c
++++ b/ipc/util.c
+@@ -277,6 +277,10 @@ int ipc_addid(struct ipc_ids *ids, struct kern_ipc_perm *new, int size)
+        rcu_read_lock();
+        spin_lock(&new->lock);
+ 
++       current_euid_egid(&euid, &egid);
++       new->cuid = new->uid = euid;
++       new->gid = new->cgid = egid;
++
+        id = idr_alloc(&ids->ipcs_idr, new,
+                       (next_id < 0) ? 0 : ipcid_to_idx(next_id), 0,
+                       GFP_NOWAIT);
+@@ -289,10 +293,6 @@ int ipc_addid(struct ipc_ids *ids, struct kern_ipc_perm *new, int size)
+ 
+        ids->in_use++;
+ 
+-       current_euid_egid(&euid, &egid);
+-       new->cuid = new->uid = euid;
+-       new->gid = new->cgid = egid;
+-
+        if (next_id < 0) {
+                new->seq = ids->seq++;
+                if (ids->seq > IPCID_SEQ_MAX)
+-- 
+cgit v0.12
+