1 files changed, 98 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.24/0096-eCryptfs-Gracefully-refuse-miscdev-file-ops-on-inher.patch b/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.24/0096-eCryptfs-Gracefully-refuse-miscdev-file-ops-on-inher.patch
new file mode 100644
index 00000000..ba3b5582
--- /dev/null
+++ b/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.24/0096-eCryptfs-Gracefully-refuse-miscdev-file-ops-on-inher.patch
@@ -0,0 +1,98 @@
+From 5daf178c74f17e523291b0c4eabbf3b3f3740b75 Mon Sep 17 00:00:00 2001
+From: Tyler Hicks <tyhicks@canonical.com>
+Date: Mon, 11 Jun 2012 09:24:11 -0700
+Subject: [PATCH 096/109] eCryptfs: Gracefully refuse miscdev file ops on
+ inherited/passed files
+commit 8dc6780587c99286c0d3de747a2946a76989414a upstream.
+File operations on /dev/ecryptfs would BUG() when the operations were
+performed by processes other than the process that originally opened the
+file. This could happen with open files inherited after fork() or file
+descriptors passed through IPC mechanisms. Rather than calling BUG(), an
+error code can be safely returned in most situations.
+In ecryptfs_miscdev_release(), eCryptfs still needs to handle the
+release even if the last file reference is being held by a process that
+didn't originally open the file. ecryptfs_find_daemon_by_euid() will not
+be successful, so a pointer to the daemon is stored in the file's
+private_data. The private_data pointer is initialized when the miscdev
+file is opened and only used when the file is released.
+https://launchpad.net/bugs/994247
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+Reported-by: Sasha Levin <levinsasha928@gmail.com>
+Tested-by: Sasha Levin <levinsasha928@gmail.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ fs/ecryptfs/miscdev.c |   23 ++++++++++++++++-------
+ 1 files changed, 16 insertions(+), 7 deletions(-)
+diff --git a/fs/ecryptfs/miscdev.c b/fs/ecryptfs/miscdev.c
+index 0dc5a3d..a050e4b 100644
+--- a/fs/ecryptfs/miscdev.c
+++ b/fs/ecryptfs/miscdev.c
+@@ -49,7 +49,10 @@ ecryptfs_miscdev_poll(struct file *file, poll_table *pt)
+        mutex_lock(&ecryptfs_daemon_hash_mux);
+        /* TODO: Just use file->private_data? */
+        rc = ecryptfs_find_daemon_by_euid(&daemon, euid, current_user_ns());
+-       BUG_ON(rc || !daemon);
+       if (rc || !daemon) {
+               mutex_unlock(&ecryptfs_daemon_hash_mux);
+               return -EINVAL;
+       }
+        mutex_lock(&daemon->mux);
+        mutex_unlock(&ecryptfs_daemon_hash_mux);
+        if (daemon->flags & ECRYPTFS_DAEMON_ZOMBIE) {
+@@ -122,6 +125,7 @@ ecryptfs_miscdev_open(struct inode *inode, struct file *file)
+                goto out_unlock_daemon;
+        }
+        daemon->flags |= ECRYPTFS_DAEMON_MISCDEV_OPEN;
+       file->private_data = daemon;
+        atomic_inc(&ecryptfs_num_miscdev_opens);
+ out_unlock_daemon:
+        mutex_unlock(&daemon->mux);
+@@ -152,9 +156,9 @@ ecryptfs_miscdev_release(struct inode *inode, struct file *file)
+ 
+        mutex_lock(&ecryptfs_daemon_hash_mux);
+        rc = ecryptfs_find_daemon_by_euid(&daemon, euid, current_user_ns());
+-       BUG_ON(rc || !daemon);
+       if (rc || !daemon)
+               daemon = file->private_data;
+        mutex_lock(&daemon->mux);
+-       BUG_ON(daemon->pid != task_pid(current));
+        BUG_ON(!(daemon->flags & ECRYPTFS_DAEMON_MISCDEV_OPEN));
+        daemon->flags &= ~ECRYPTFS_DAEMON_MISCDEV_OPEN;
+        atomic_dec(&ecryptfs_num_miscdev_opens);
+@@ -246,8 +250,16 @@ ecryptfs_miscdev_read(struct file *file, char __user *buf, size_t count,
+        mutex_lock(&ecryptfs_daemon_hash_mux);
+        /* TODO: Just use file->private_data? */
+        rc = ecryptfs_find_daemon_by_euid(&daemon, euid, current_user_ns());
+-       BUG_ON(rc || !daemon);
+       if (rc || !daemon) {
+               mutex_unlock(&ecryptfs_daemon_hash_mux);
+               return -EINVAL;
+       }
+        mutex_lock(&daemon->mux);
+       if (task_pid(current) != daemon->pid) {
+               mutex_unlock(&daemon->mux);
+               mutex_unlock(&ecryptfs_daemon_hash_mux);
+               return -EPERM;
+       }
+        if (daemon->flags & ECRYPTFS_DAEMON_ZOMBIE) {
+                rc = 0;
+                mutex_unlock(&ecryptfs_daemon_hash_mux);
+@@ -284,9 +296,6 @@ check_list:
+                 * message from the queue; try again */
+                goto check_list;
+        }
+-       BUG_ON(euid != daemon->euid);
+-       BUG_ON(current_user_ns() != daemon->user_ns);
+-       BUG_ON(task_pid(current) != daemon->pid);
+        msg_ctx = list_first_entry(&daemon->msg_ctx_out_queue,
+                                   struct ecryptfs_msg_ctx, daemon_out_list);
+        BUG_ON(!msg_ctx);
+-- 
+1.7.7.6

diff --git a/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.24/0096-eCryptfs-Gracefully-refuse-miscdev-file-ops-on-inher.patch b/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.24/0096-eCryptfs-Gracefully-refuse-miscdev-file-ops-on-inher.patch new file mode 100644 index 00000000..ba3b5582 --- /dev/null +++ b/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.24/0096-eCryptfs-Gracefully-refuse-miscdev-file-ops-on-inher.patch
@@ -0,0 +1,98 @@
	1	From 5daf178c74f17e523291b0c4eabbf3b3f3740b75 Mon Sep 17 00:00:00 2001
	2	From: Tyler Hicks <tyhicks@canonical.com>
	3	Date: Mon, 11 Jun 2012 09:24:11 -0700
	4	Subject: [PATCH 096/109] eCryptfs: Gracefully refuse miscdev file ops on
	5	inherited/passed files
	6
	7	commit 8dc6780587c99286c0d3de747a2946a76989414a upstream.
	8
	9	File operations on /dev/ecryptfs would BUG() when the operations were
	10	performed by processes other than the process that originally opened the
	11	file. This could happen with open files inherited after fork() or file
	12	descriptors passed through IPC mechanisms. Rather than calling BUG(), an
	13	error code can be safely returned in most situations.
	14
	15	In ecryptfs_miscdev_release(), eCryptfs still needs to handle the
	16	release even if the last file reference is being held by a process that
	17	didn't originally open the file. ecryptfs_find_daemon_by_euid() will not
	18	be successful, so a pointer to the daemon is stored in the file's
	19	private_data. The private_data pointer is initialized when the miscdev
	20	file is opened and only used when the file is released.
	21
	22	https://launchpad.net/bugs/994247
	23
	24	Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
	25	Reported-by: Sasha Levin <levinsasha928@gmail.com>
	26	Tested-by: Sasha Levin <levinsasha928@gmail.com>
	27	Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
	28	---
	29	fs/ecryptfs/miscdev.c \| 23 ++++++++++++++++-------
	30	1 files changed, 16 insertions(+), 7 deletions(-)
	31
	32	diff --git a/fs/ecryptfs/miscdev.c b/fs/ecryptfs/miscdev.c
	33	index 0dc5a3d..a050e4b 100644
	34	--- a/fs/ecryptfs/miscdev.c
	35	+++ b/fs/ecryptfs/miscdev.c
	36	@@ -49,7 +49,10 @@ ecryptfs_miscdev_poll(struct file file, poll_table pt)
	37	mutex_lock(&ecryptfs_daemon_hash_mux);
	38	/* TODO: Just use file->private_data? */
	39	rc = ecryptfs_find_daemon_by_euid(&daemon, euid, current_user_ns());
	40	- BUG_ON(rc \|\| !daemon);
	41	+ if (rc \|\| !daemon) {
	42	+ mutex_unlock(&ecryptfs_daemon_hash_mux);
	43	+ return -EINVAL;
	44	+ }
	45	mutex_lock(&daemon->mux);
	46	mutex_unlock(&ecryptfs_daemon_hash_mux);
	47	if (daemon->flags & ECRYPTFS_DAEMON_ZOMBIE) {
	48	@@ -122,6 +125,7 @@ ecryptfs_miscdev_open(struct inode inode, struct file file)
	49	goto out_unlock_daemon;
	50	}
	51	daemon->flags \|= ECRYPTFS_DAEMON_MISCDEV_OPEN;
	52	+ file->private_data = daemon;
	53	atomic_inc(&ecryptfs_num_miscdev_opens);
	54	out_unlock_daemon:
	55	mutex_unlock(&daemon->mux);
	56	@@ -152,9 +156,9 @@ ecryptfs_miscdev_release(struct inode inode, struct file file)
	57
	58	mutex_lock(&ecryptfs_daemon_hash_mux);
	59	rc = ecryptfs_find_daemon_by_euid(&daemon, euid, current_user_ns());
	60	- BUG_ON(rc \|\| !daemon);
	61	+ if (rc \|\| !daemon)
	62	+ daemon = file->private_data;
	63	mutex_lock(&daemon->mux);
	64	- BUG_ON(daemon->pid != task_pid(current));
	65	BUG_ON(!(daemon->flags & ECRYPTFS_DAEMON_MISCDEV_OPEN));
	66	daemon->flags &= ~ECRYPTFS_DAEMON_MISCDEV_OPEN;
	67	atomic_dec(&ecryptfs_num_miscdev_opens);
	68	@@ -246,8 +250,16 @@ ecryptfs_miscdev_read(struct file file, char __user buf, size_t count,
	69	mutex_lock(&ecryptfs_daemon_hash_mux);
	70	/* TODO: Just use file->private_data? */
	71	rc = ecryptfs_find_daemon_by_euid(&daemon, euid, current_user_ns());
	72	- BUG_ON(rc \|\| !daemon);
	73	+ if (rc \|\| !daemon) {
	74	+ mutex_unlock(&ecryptfs_daemon_hash_mux);
	75	+ return -EINVAL;
	76	+ }
	77	mutex_lock(&daemon->mux);
	78	+ if (task_pid(current) != daemon->pid) {
	79	+ mutex_unlock(&daemon->mux);
	80	+ mutex_unlock(&ecryptfs_daemon_hash_mux);
	81	+ return -EPERM;
	82	+ }
	83	if (daemon->flags & ECRYPTFS_DAEMON_ZOMBIE) {
	84	rc = 0;
	85	mutex_unlock(&ecryptfs_daemon_hash_mux);
	86	@@ -284,9 +296,6 @@ check_list:
	87	* message from the queue; try again */
	88	goto check_list;
	89	}
	90	- BUG_ON(euid != daemon->euid);
	91	- BUG_ON(current_user_ns() != daemon->user_ns);
	92	- BUG_ON(task_pid(current) != daemon->pid);
	93	msg_ctx = list_first_entry(&daemon->msg_ctx_out_queue,
	94	struct ecryptfs_msg_ctx, daemon_out_list);
	95	BUG_ON(!msg_ctx);
	96	--
	97	1.7.7.6
	98