summaryrefslogtreecommitdiffstats
path: root/recipes-kernel/linux/linux-hierofalcon-4.1
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2016-01-28 14:32:12 +0100
committerPaul Vaduva <Paul.Vaduva@enea.com>2016-01-28 14:36:21 +0100
commit227e772457791f69b69646556b3ffbbb94936bd0 (patch)
treed1071ed7a3979a0e5e42efe8d06ead100d09eb79 /recipes-kernel/linux/linux-hierofalcon-4.1
parentfebcbabc2e4d859a3caf7808ceda68c956da652f (diff)
downloadmeta-hierofalcon-227e772457791f69b69646556b3ffbbb94936bd0.tar.gz
ipc: CVE-2015-7613
Fixes a race condition flaw in the Linux kernel's IPC subsystem. Reference to the upstream patch: https://github.com/torvalds/linux/commit/b9a532277938 http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/ commit/?id=b9a532277938798b53178d5a66af6e2915cb27cf Other external references: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7613 http://seclists.org/oss-sec/2015/q4/7 http://www.openwall.com/lists/oss-security/2015/10/01/8 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Paul Vaduva <Paul.Vaduva@enea.com>
Diffstat (limited to 'recipes-kernel/linux/linux-hierofalcon-4.1')
-rw-r--r--recipes-kernel/linux/linux-hierofalcon-4.1/ipc-CVE-2015-7613.patch123
1 files changed, 123 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-hierofalcon-4.1/ipc-CVE-2015-7613.patch b/recipes-kernel/linux/linux-hierofalcon-4.1/ipc-CVE-2015-7613.patch
new file mode 100644
index 0000000..28ce612
--- /dev/null
+++ b/recipes-kernel/linux/linux-hierofalcon-4.1/ipc-CVE-2015-7613.patch
@@ -0,0 +1,123 @@
1From 7983297d99ea11152a76420d4325f5d1925e2547 Mon Sep 17 00:00:00 2001
2From: Linus Torvalds <torvalds@linux-foundation.org>
3Date: Wed, 30 Sep 2015 12:48:40 -0400
4Subject: Initialize msg/shm IPC objects before doing ipc_addid()
5
6commit b9a532277938798b53178d5a66af6e2915cb27cf upstream.
7
8As reported by Dmitry Vyukov, we really shouldn't do ipc_addid() before
9having initialized the IPC object state. Yes, we initialize the IPC
10object in a locked state, but with all the lockless RCU lookup work,
11that IPC object lock no longer means that the state cannot be seen.
12
13We already did this for the IPC semaphore code (see commit e8577d1f0329:
14"ipc/sem.c: fully initialize sem_array before making it visible") but we
15clearly forgot about msg and shm.
16
17Fixes CVE-2015-7613.
18Upstream-Status: Backport
19
20Reported-by: Dmitry Vyukov <dvyukov@google.com>
21Cc: Manfred Spraul <manfred@colorfullife.com>
22Cc: Davidlohr Bueso <dbueso@suse.de>
23Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
24Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
25Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
26---
27 ipc/msg.c | 14 +++++++-------
28 ipc/shm.c | 13 +++++++------
29 ipc/util.c | 8 ++++----
30 3 files changed, 18 insertions(+), 17 deletions(-)
31
32diff --git a/ipc/msg.c b/ipc/msg.c
33index 2b6fdbb..6525406 100644
34--- a/ipc/msg.c
35+++ b/ipc/msg.c
36@@ -137,13 +137,6 @@ static int newque(struct ipc_namespace *ns, struct ipc_params *params)
37 return retval;
38 }
39
40- /* ipc_addid() locks msq upon success. */
41- id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni);
42- if (id < 0) {
43- ipc_rcu_putref(msq, msg_rcu_free);
44- return id;
45- }
46-
47 msq->q_stime = msq->q_rtime = 0;
48 msq->q_ctime = get_seconds();
49 msq->q_cbytes = msq->q_qnum = 0;
50@@ -153,6 +146,13 @@ static int newque(struct ipc_namespace *ns, struct ipc_params *params)
51 INIT_LIST_HEAD(&msq->q_receivers);
52 INIT_LIST_HEAD(&msq->q_senders);
53
54+ /* ipc_addid() locks msq upon success. */
55+ id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni);
56+ if (id < 0) {
57+ ipc_rcu_putref(msq, msg_rcu_free);
58+ return id;
59+ }
60+
61 ipc_unlock_object(&msq->q_perm);
62 rcu_read_unlock();
63
64diff --git a/ipc/shm.c b/ipc/shm.c
65index 6d76707..499a8bd 100644
66--- a/ipc/shm.c
67+++ b/ipc/shm.c
68@@ -550,12 +550,6 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
69 if (IS_ERR(file))
70 goto no_file;
71
72- id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni);
73- if (id < 0) {
74- error = id;
75- goto no_id;
76- }
77-
78 shp->shm_cprid = task_tgid_vnr(current);
79 shp->shm_lprid = 0;
80 shp->shm_atim = shp->shm_dtim = 0;
81@@ -564,6 +558,13 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
82 shp->shm_nattch = 0;
83 shp->shm_file = file;
84 shp->shm_creator = current;
85+
86+ id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni);
87+ if (id < 0) {
88+ error = id;
89+ goto no_id;
90+ }
91+
92 list_add(&shp->shm_clist, &current->sysvshm.shm_clist);
93
94 /*
95diff --git a/ipc/util.c b/ipc/util.c
96index ff3323e..c917e9f 100644
97--- a/ipc/util.c
98+++ b/ipc/util.c
99@@ -237,6 +237,10 @@ int ipc_addid(struct ipc_ids *ids, struct kern_ipc_perm *new, int size)
100 rcu_read_lock();
101 spin_lock(&new->lock);
102
103+ current_euid_egid(&euid, &egid);
104+ new->cuid = new->uid = euid;
105+ new->gid = new->cgid = egid;
106+
107 id = idr_alloc(&ids->ipcs_idr, new,
108 (next_id < 0) ? 0 : ipcid_to_idx(next_id), 0,
109 GFP_NOWAIT);
110@@ -249,10 +253,6 @@ int ipc_addid(struct ipc_ids *ids, struct kern_ipc_perm *new, int size)
111
112 ids->in_use++;
113
114- current_euid_egid(&euid, &egid);
115- new->cuid = new->uid = euid;
116- new->gid = new->cgid = egid;
117-
118 if (next_id < 0) {
119 new->seq = ids->seq++;
120 if (ids->seq > IPCID_SEQ_MAX)
121--
122cgit v0.12
123