summaryrefslogtreecommitdiffstats
path: root/recipes-kernel
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2015-12-09 08:46:50 +0100
committerNora Björklund <nora.bjorklund@enea.com>2015-12-09 10:16:12 +0100
commit08b46ce9e33c472ae04a8f1ec6ad1601594797f7 (patch)
tree43136a3853eac14a32337ddbb2fdf41ba549eb30 /recipes-kernel
parent752848f86e67d0634c413e097363172f4f18d98b (diff)
downloadmeta-hierofalcon-08b46ce9e33c472ae04a8f1ec6ad1601594797f7.tar.gz
linux-hierofalcon: CVE-2015-3339
Fixes race condition between chown() and execve() system calls in the linux-hierofalcon 3.19 (backported from stable v3.18.24 kernel.org). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3339 http://seclists.org/oss-sec/2015/q2/216 Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/ patch/?id=7f1a6ae73b5c2d24b21d9a27928ceacef3a9a939 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Nora Björklund <nora.bjorklund@enea.com>
Diffstat (limited to 'recipes-kernel')
-rw-r--r--recipes-kernel/linux/linux-hierofalcon-3.19/fs-CVE-2015-3339.patch121
-rw-r--r--recipes-kernel/linux/linux-hierofalcon_3.19.bb1
2 files changed, 122 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-hierofalcon-3.19/fs-CVE-2015-3339.patch b/recipes-kernel/linux/linux-hierofalcon-3.19/fs-CVE-2015-3339.patch
new file mode 100644
index 0000000..ec86cb8
--- /dev/null
+++ b/recipes-kernel/linux/linux-hierofalcon-3.19/fs-CVE-2015-3339.patch
@@ -0,0 +1,121 @@
1Date: Sun, 19 Apr 2015 02:48:39 +0200
2Subject: fs: take i_mutex during prepare_binprm for set[ug]id executables
3
4[ Upstream commit 8b01fc86b9f425899f8a3a8fc1c47d73c2c20543 ]
5
6This prevents a race between chown() and execve(), where chowning a
7setuid-user binary to root would momentarily make the binary setuid
8root.
9
10This patch was mostly written by Linus Torvalds.
11
12Fixes CVE-2015-3339.
13Upstream-Status: Backport
14
15Signed-off-by: Jann Horn <jann@thejh.net>
16Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
17Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
18Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
19---
20 fs/exec.c | 76 ++++++++++++++++++++++++++++++++++++++++-----------------------
21 1 file changed, 48 insertions(+), 28 deletions(-)
22
23diff --git a/fs/exec.c b/fs/exec.c
24index 7302b75..2e83209 100644
25--- a/fs/exec.c
26+++ b/fs/exec.c
27@@ -1250,6 +1250,53 @@ static void check_unsafe_exec(struct linux_binprm *bprm)
28 spin_unlock(&p->fs->lock);
29 }
30
31+static void bprm_fill_uid(struct linux_binprm *bprm)
32+{
33+ struct inode *inode;
34+ unsigned int mode;
35+ kuid_t uid;
36+ kgid_t gid;
37+
38+ /* clear any previous set[ug]id data from a previous binary */
39+ bprm->cred->euid = current_euid();
40+ bprm->cred->egid = current_egid();
41+
42+ if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
43+ return;
44+
45+ if (task_no_new_privs(current))
46+ return;
47+
48+ inode = file_inode(bprm->file);
49+ mode = READ_ONCE(inode->i_mode);
50+ if (!(mode & (S_ISUID|S_ISGID)))
51+ return;
52+
53+ /* Be careful if suid/sgid is set */
54+ mutex_lock(&inode->i_mutex);
55+
56+ /* reload atomically mode/uid/gid now that lock held */
57+ mode = inode->i_mode;
58+ uid = inode->i_uid;
59+ gid = inode->i_gid;
60+ mutex_unlock(&inode->i_mutex);
61+
62+ /* We ignore suid/sgid if there are no mappings for them in the ns */
63+ if (!kuid_has_mapping(bprm->cred->user_ns, uid) ||
64+ !kgid_has_mapping(bprm->cred->user_ns, gid))
65+ return;
66+
67+ if (mode & S_ISUID) {
68+ bprm->per_clear |= PER_CLEAR_ON_SETID;
69+ bprm->cred->euid = uid;
70+ }
71+
72+ if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
73+ bprm->per_clear |= PER_CLEAR_ON_SETID;
74+ bprm->cred->egid = gid;
75+ }
76+}
77+
78 /*
79 * Fill the binprm structure from the inode.
80 * Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes
81@@ -1258,36 +1305,9 @@ static void check_unsafe_exec(struct linux_binprm *bprm)
82 */
83 int prepare_binprm(struct linux_binprm *bprm)
84 {
85- struct inode *inode = file_inode(bprm->file);
86- umode_t mode = inode->i_mode;
87 int retval;
88
89-
90- /* clear any previous set[ug]id data from a previous binary */
91- bprm->cred->euid = current_euid();
92- bprm->cred->egid = current_egid();
93-
94- if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) &&
95- !task_no_new_privs(current) &&
96- kuid_has_mapping(bprm->cred->user_ns, inode->i_uid) &&
97- kgid_has_mapping(bprm->cred->user_ns, inode->i_gid)) {
98- /* Set-uid? */
99- if (mode & S_ISUID) {
100- bprm->per_clear |= PER_CLEAR_ON_SETID;
101- bprm->cred->euid = inode->i_uid;
102- }
103-
104- /* Set-gid? */
105- /*
106- * If setgid is set but no group execute bit then this
107- * is a candidate for mandatory locking, not a setgid
108- * executable.
109- */
110- if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
111- bprm->per_clear |= PER_CLEAR_ON_SETID;
112- bprm->cred->egid = inode->i_gid;
113- }
114- }
115+ bprm_fill_uid(bprm);
116
117 /* fill in binprm security blob */
118 retval = security_bprm_set_creds(bprm);
119--
120cgit v0.11.2
121
diff --git a/recipes-kernel/linux/linux-hierofalcon_3.19.bb b/recipes-kernel/linux/linux-hierofalcon_3.19.bb
index 45a2ece..a1c3e6e 100644
--- a/recipes-kernel/linux/linux-hierofalcon_3.19.bb
+++ b/recipes-kernel/linux/linux-hierofalcon_3.19.bb
@@ -19,6 +19,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-3.19;branch="standard/qemuarm6
19 file://udp_fix_behavior_of_wrong_checksums.patch \ 19 file://udp_fix_behavior_of_wrong_checksums.patch \
20 file://RDS-CVE-2015-6937.patch \ 20 file://RDS-CVE-2015-6937.patch \
21 file://RDS-CVE-2015-7990-a-complete-fix-of-CVE-2015-6937.patch \ 21 file://RDS-CVE-2015-7990-a-complete-fix-of-CVE-2015-6937.patch \
22 file://fs-CVE-2015-3339.patch \
22 " 23 "
23 24
24S = "${WORKDIR}/git" 25S = "${WORKDIR}/git"