[meta-freescale] [meta-fsl-ppc][PATCH][dizzy 5/5] fs: CVE-2015-3339
Sona Sarmadi
sona.sarmadi at enea.com
Tue Dec 15 04:57:33 PST 2015
Fixes race condition between chown() and execve() system calls in the
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3339
http://seclists.org/oss-sec/2015/q2/216
Upstream fix:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/patch
/?id=5176b77f1aacdc560eaeac4685ade444bb814689
Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
---
recipes-kernel/linux/files/fs-CVE-2015-3339.patch | 127 ++++++++++++++++++++++
recipes-kernel/linux/linux-qoriq_3.12.bb | 1 +
2 files changed, 128 insertions(+)
create mode 100644 recipes-kernel/linux/files/fs-CVE-2015-3339.patch
diff --git a/recipes-kernel/linux/files/fs-CVE-2015-3339.patch b/recipes-kernel/linux/files/fs-CVE-2015-3339.patch
new file mode 100644
index 0000000..732f009
--- /dev/null
+++ b/recipes-kernel/linux/files/fs-CVE-2015-3339.patch
@@ -0,0 +1,127 @@
+From 5176b77f1aacdc560eaeac4685ade444bb814689 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jann at thejh.net>
+Date: Sun, 19 Apr 2015 02:48:39 +0200
+Subject: fs: take i_mutex during prepare_binprm for set[ug]id executables
+
+commit 8b01fc86b9f425899f8a3a8fc1c47d73c2c20543 upstream.
+
+This prevents a race between chown() and execve(), where chowning a
+setuid-user binary to root would momentarily make the binary setuid
+root.
+
+This patch was mostly written by Linus Torvalds.
+
+Fixes CVE-2015-3339.
+Upstream-Status: Backport
+
+Signed-off-by: Jann Horn <jann at thejh.net>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Charles Williams <ciwillia at brocade.com>
+Signed-off-by: Jiri Slaby <jslaby at suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
+---
+ fs/exec.c | 76 ++++++++++++++++++++++++++++++++++++++++-----------------------
+ 1 file changed, 48 insertions(+), 28 deletions(-)
+
+diff --git a/fs/exec.c b/fs/exec.c
+index 26bb91b..d8b46a1 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -1272,6 +1272,53 @@ static int check_unsafe_exec(struct linux_binprm *bprm)
+ return res;
+ }
+
++static void bprm_fill_uid(struct linux_binprm *bprm)
++{
++ struct inode *inode;
++ unsigned int mode;
++ kuid_t uid;
++ kgid_t gid;
++
++ /* clear any previous set[ug]id data from a previous binary */
++ bprm->cred->euid = current_euid();
++ bprm->cred->egid = current_egid();
++
++ if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
++ return;
++
++ if (current->no_new_privs)
++ return;
++
++ inode = file_inode(bprm->file);
++ mode = ACCESS_ONCE(inode->i_mode);
++ if (!(mode & (S_ISUID|S_ISGID)))
++ return;
++
++ /* Be careful if suid/sgid is set */
++ mutex_lock(&inode->i_mutex);
++
++ /* reload atomically mode/uid/gid now that lock held */
++ mode = inode->i_mode;
++ uid = inode->i_uid;
++ gid = inode->i_gid;
++ mutex_unlock(&inode->i_mutex);
++
++ /* We ignore suid/sgid if there are no mappings for them in the ns */
++ if (!kuid_has_mapping(bprm->cred->user_ns, uid) ||
++ !kgid_has_mapping(bprm->cred->user_ns, gid))
++ return;
++
++ if (mode & S_ISUID) {
++ bprm->per_clear |= PER_CLEAR_ON_SETID;
++ bprm->cred->euid = uid;
++ }
++
++ if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
++ bprm->per_clear |= PER_CLEAR_ON_SETID;
++ bprm->cred->egid = gid;
++ }
++}
++
+ /*
+ * Fill the binprm structure from the inode.
+ * Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes
+@@ -1280,39 +1327,12 @@ static int check_unsafe_exec(struct linux_binprm *bprm)
+ */
+ int prepare_binprm(struct linux_binprm *bprm)
+ {
+- umode_t mode;
+- struct inode * inode = file_inode(bprm->file);
+ int retval;
+
+- mode = inode->i_mode;
+ if (bprm->file->f_op == NULL)
+ return -EACCES;
+
+- /* clear any previous set[ug]id data from a previous binary */
+- bprm->cred->euid = current_euid();
+- bprm->cred->egid = current_egid();
+-
+- if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) &&
+- !current->no_new_privs &&
+- kuid_has_mapping(bprm->cred->user_ns, inode->i_uid) &&
+- kgid_has_mapping(bprm->cred->user_ns, inode->i_gid)) {
+- /* Set-uid? */
+- if (mode & S_ISUID) {
+- bprm->per_clear |= PER_CLEAR_ON_SETID;
+- bprm->cred->euid = inode->i_uid;
+- }
+-
+- /* Set-gid? */
+- /*
+- * If setgid is set but no group execute bit then this
+- * is a candidate for mandatory locking, not a setgid
+- * executable.
+- */
+- if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
+- bprm->per_clear |= PER_CLEAR_ON_SETID;
+- bprm->cred->egid = inode->i_gid;
+- }
+- }
++ bprm_fill_uid(bprm);
+
+ /* fill in binprm security blob */
+ retval = security_bprm_set_creds(bprm);
+--
+1.9.1
+
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb
index 4a2ea43..fed0591 100644
--- a/recipes-kernel/linux/linux-qoriq_3.12.bb
+++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -37,6 +37,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
file://media-ttusb-dec-CVE-2014-8884.patch \
file://net-sctp-CVE-2015-1421.patch \
file://net-CVE-2015-2041.patch \
+ file://fs-CVE-2015-3339.patch \
"
SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
--
1.9.1
More information about the meta-freescale
mailing list