From 227e772457791f69b69646556b3ffbbb94936bd0 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Thu, 28 Jan 2016 14:32:12 +0100 Subject: ipc: CVE-2015-7613 Fixes a race condition flaw in the Linux kernel's IPC subsystem. Reference to the upstream patch: https://github.com/torvalds/linux/commit/b9a532277938 http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/ commit/?id=b9a532277938798b53178d5a66af6e2915cb27cf Other external references: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7613 http://seclists.org/oss-sec/2015/q4/7 http://www.openwall.com/lists/oss-security/2015/10/01/8 Signed-off-by: Sona Sarmadi Signed-off-by: Paul Vaduva --- .../linux-hierofalcon-3.19/ipc-CVE-2015-7613.patch | 124 +++++++++++++++++++++ .../linux-hierofalcon-4.1/ipc-CVE-2015-7613.patch | 123 ++++++++++++++++++++ recipes-kernel/linux/linux-hierofalcon_3.19.bb | 1 + recipes-kernel/linux/linux-hierofalcon_4.1.bb | 1 + 4 files changed, 249 insertions(+) create mode 100644 recipes-kernel/linux/linux-hierofalcon-3.19/ipc-CVE-2015-7613.patch create mode 100644 recipes-kernel/linux/linux-hierofalcon-4.1/ipc-CVE-2015-7613.patch diff --git a/recipes-kernel/linux/linux-hierofalcon-3.19/ipc-CVE-2015-7613.patch b/recipes-kernel/linux/linux-hierofalcon-3.19/ipc-CVE-2015-7613.patch new file mode 100644 index 0000000..e9b94ad --- /dev/null +++ b/recipes-kernel/linux/linux-hierofalcon-3.19/ipc-CVE-2015-7613.patch @@ -0,0 +1,124 @@ +From b5495ddce4659122180b5fee6fc52dc5196e0918 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Wed, 30 Sep 2015 12:48:40 -0400 +Subject: Initialize msg/shm IPC objects before doing ipc_addid() + +[ Upstream commit b9a532277938798b53178d5a66af6e2915cb27cf ] + +As reported by Dmitry Vyukov, we really shouldn't do ipc_addid() before +having initialized the IPC object state. Yes, we initialize the IPC +object in a locked state, but with all the lockless RCU lookup work, +that IPC object lock no longer means that the state cannot be seen. + +We already did this for the IPC semaphore code (see commit e8577d1f0329: +"ipc/sem.c: fully initialize sem_array before making it visible") but we +clearly forgot about msg and shm. + +Fixes CVE-2015-7613. +Upstream-Status: Backport + +Reported-by: Dmitry Vyukov +Cc: Manfred Spraul +Cc: Davidlohr Bueso +Cc: stable@vger.kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Sona Sarmadi +--- + ipc/msg.c | 14 +++++++------- + ipc/shm.c | 13 +++++++------ + ipc/util.c | 8 ++++---- + 3 files changed, 18 insertions(+), 17 deletions(-) + +diff --git a/ipc/msg.c b/ipc/msg.c +index c5d8e37..cfc8b38 100644 +--- a/ipc/msg.c ++++ b/ipc/msg.c +@@ -137,13 +137,6 @@ static int newque(struct ipc_namespace *ns, struct ipc_params *params) + return retval; + } + +- /* ipc_addid() locks msq upon success. */ +- id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni); +- if (id < 0) { +- ipc_rcu_putref(msq, msg_rcu_free); +- return id; +- } +- + msq->q_stime = msq->q_rtime = 0; + msq->q_ctime = get_seconds(); + msq->q_cbytes = msq->q_qnum = 0; +@@ -153,6 +146,13 @@ static int newque(struct ipc_namespace *ns, struct ipc_params *params) + INIT_LIST_HEAD(&msq->q_receivers); + INIT_LIST_HEAD(&msq->q_senders); + ++ /* ipc_addid() locks msq upon success. */ ++ id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni); ++ if (id < 0) { ++ ipc_rcu_putref(msq, msg_rcu_free); ++ return id; ++ } ++ + ipc_unlock_object(&msq->q_perm); + rcu_read_unlock(); + +diff --git a/ipc/shm.c b/ipc/shm.c +index 0145479..2511771 100644 +--- a/ipc/shm.c ++++ b/ipc/shm.c +@@ -549,12 +549,6 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params) + if (IS_ERR(file)) + goto no_file; + +- id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni); +- if (id < 0) { +- error = id; +- goto no_id; +- } +- + shp->shm_cprid = task_tgid_vnr(current); + shp->shm_lprid = 0; + shp->shm_atim = shp->shm_dtim = 0; +@@ -563,6 +557,13 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params) + shp->shm_nattch = 0; + shp->shm_file = file; + shp->shm_creator = current; ++ ++ id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni); ++ if (id < 0) { ++ error = id; ++ goto no_id; ++ } ++ + list_add(&shp->shm_clist, ¤t->sysvshm.shm_clist); + + /* +diff --git a/ipc/util.c b/ipc/util.c +index 88adc32..bc72cbf 100644 +--- a/ipc/util.c ++++ b/ipc/util.c +@@ -277,6 +277,10 @@ int ipc_addid(struct ipc_ids *ids, struct kern_ipc_perm *new, int size) + rcu_read_lock(); + spin_lock(&new->lock); + ++ current_euid_egid(&euid, &egid); ++ new->cuid = new->uid = euid; ++ new->gid = new->cgid = egid; ++ + id = idr_alloc(&ids->ipcs_idr, new, + (next_id < 0) ? 0 : ipcid_to_idx(next_id), 0, + GFP_NOWAIT); +@@ -289,10 +293,6 @@ int ipc_addid(struct ipc_ids *ids, struct kern_ipc_perm *new, int size) + + ids->in_use++; + +- current_euid_egid(&euid, &egid); +- new->cuid = new->uid = euid; +- new->gid = new->cgid = egid; +- + if (next_id < 0) { + new->seq = ids->seq++; + if (ids->seq > IPCID_SEQ_MAX) +-- +cgit v0.12 + diff --git a/recipes-kernel/linux/linux-hierofalcon-4.1/ipc-CVE-2015-7613.patch b/recipes-kernel/linux/linux-hierofalcon-4.1/ipc-CVE-2015-7613.patch new file mode 100644 index 0000000..28ce612 --- /dev/null +++ b/recipes-kernel/linux/linux-hierofalcon-4.1/ipc-CVE-2015-7613.patch @@ -0,0 +1,123 @@ +From 7983297d99ea11152a76420d4325f5d1925e2547 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Wed, 30 Sep 2015 12:48:40 -0400 +Subject: Initialize msg/shm IPC objects before doing ipc_addid() + +commit b9a532277938798b53178d5a66af6e2915cb27cf upstream. + +As reported by Dmitry Vyukov, we really shouldn't do ipc_addid() before +having initialized the IPC object state. Yes, we initialize the IPC +object in a locked state, but with all the lockless RCU lookup work, +that IPC object lock no longer means that the state cannot be seen. + +We already did this for the IPC semaphore code (see commit e8577d1f0329: +"ipc/sem.c: fully initialize sem_array before making it visible") but we +clearly forgot about msg and shm. + +Fixes CVE-2015-7613. +Upstream-Status: Backport + +Reported-by: Dmitry Vyukov +Cc: Manfred Spraul +Cc: Davidlohr Bueso +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sona Sarmadi +--- + ipc/msg.c | 14 +++++++------- + ipc/shm.c | 13 +++++++------ + ipc/util.c | 8 ++++---- + 3 files changed, 18 insertions(+), 17 deletions(-) + +diff --git a/ipc/msg.c b/ipc/msg.c +index 2b6fdbb..6525406 100644 +--- a/ipc/msg.c ++++ b/ipc/msg.c +@@ -137,13 +137,6 @@ static int newque(struct ipc_namespace *ns, struct ipc_params *params) + return retval; + } + +- /* ipc_addid() locks msq upon success. */ +- id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni); +- if (id < 0) { +- ipc_rcu_putref(msq, msg_rcu_free); +- return id; +- } +- + msq->q_stime = msq->q_rtime = 0; + msq->q_ctime = get_seconds(); + msq->q_cbytes = msq->q_qnum = 0; +@@ -153,6 +146,13 @@ static int newque(struct ipc_namespace *ns, struct ipc_params *params) + INIT_LIST_HEAD(&msq->q_receivers); + INIT_LIST_HEAD(&msq->q_senders); + ++ /* ipc_addid() locks msq upon success. */ ++ id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni); ++ if (id < 0) { ++ ipc_rcu_putref(msq, msg_rcu_free); ++ return id; ++ } ++ + ipc_unlock_object(&msq->q_perm); + rcu_read_unlock(); + +diff --git a/ipc/shm.c b/ipc/shm.c +index 6d76707..499a8bd 100644 +--- a/ipc/shm.c ++++ b/ipc/shm.c +@@ -550,12 +550,6 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params) + if (IS_ERR(file)) + goto no_file; + +- id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni); +- if (id < 0) { +- error = id; +- goto no_id; +- } +- + shp->shm_cprid = task_tgid_vnr(current); + shp->shm_lprid = 0; + shp->shm_atim = shp->shm_dtim = 0; +@@ -564,6 +558,13 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params) + shp->shm_nattch = 0; + shp->shm_file = file; + shp->shm_creator = current; ++ ++ id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni); ++ if (id < 0) { ++ error = id; ++ goto no_id; ++ } ++ + list_add(&shp->shm_clist, ¤t->sysvshm.shm_clist); + + /* +diff --git a/ipc/util.c b/ipc/util.c +index ff3323e..c917e9f 100644 +--- a/ipc/util.c ++++ b/ipc/util.c +@@ -237,6 +237,10 @@ int ipc_addid(struct ipc_ids *ids, struct kern_ipc_perm *new, int size) + rcu_read_lock(); + spin_lock(&new->lock); + ++ current_euid_egid(&euid, &egid); ++ new->cuid = new->uid = euid; ++ new->gid = new->cgid = egid; ++ + id = idr_alloc(&ids->ipcs_idr, new, + (next_id < 0) ? 0 : ipcid_to_idx(next_id), 0, + GFP_NOWAIT); +@@ -249,10 +253,6 @@ int ipc_addid(struct ipc_ids *ids, struct kern_ipc_perm *new, int size) + + ids->in_use++; + +- current_euid_egid(&euid, &egid); +- new->cuid = new->uid = euid; +- new->gid = new->cgid = egid; +- + if (next_id < 0) { + new->seq = ids->seq++; + if (ids->seq > IPCID_SEQ_MAX) +-- +cgit v0.12 + diff --git a/recipes-kernel/linux/linux-hierofalcon_3.19.bb b/recipes-kernel/linux/linux-hierofalcon_3.19.bb index eceb03c..5b3bd5e 100644 --- a/recipes-kernel/linux/linux-hierofalcon_3.19.bb +++ b/recipes-kernel/linux/linux-hierofalcon_3.19.bb @@ -32,6 +32,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-3.19;branch="standard/qemuarm6 file://vfs-CVE-2015-2925.patch \ file://dcache-CVE-2015-2925.patch \ file://virtio-net-CVE-2015-5156.patch \ + file://ipc-CVE-2015-7613.patch \ " S = "${WORKDIR}/git" diff --git a/recipes-kernel/linux/linux-hierofalcon_4.1.bb b/recipes-kernel/linux/linux-hierofalcon_4.1.bb index c67b8a6..85ded8c 100644 --- a/recipes-kernel/linux/linux-hierofalcon_4.1.bb +++ b/recipes-kernel/linux/linux-hierofalcon_4.1.bb @@ -31,6 +31,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-4.1;branch="standard/qemuarm64 file://vfs-CVE-2015-2925.patch \ file://dcache-CVE-2015-2925.patch \ file://virtio-net-CVE-2015-5156.patch \ + file://ipc-CVE-2015-7613.patch \ " S = "${WORKDIR}/git" -- cgit v1.2.3-54-g00ecf