[kernel-sec-discuss] r710 - active

Kees Cook keescook-guest at alioth.debian.org
Tue Feb 27 22:24:37 CET 2007 

Author: keescook-guest
Date: 2007-02-27 22:24:37 +0100 (Tue, 27 Feb 2007)
New Revision: 710

Added:
   active/CVE-2007-0772.patch
   active/CVE-2007-0958.patch
Log:
added upstream patches for CVE-2007-0772, CVE-2007-0958

Added: active/CVE-2007-0772.patch
===================================================================
--- active/CVE-2007-0772.patch	2007-02-27 21:01:17 UTC (rev 709)
+++ active/CVE-2007-0772.patch	2007-02-27 21:24:37 UTC (rev 710)
@@ -0,0 +1,54 @@
+commit e162a033a5882bde0c3bf5a07ee2119f9535cd8c
+Author: Greg Banks <gnb at sgi.com>
+Date:   Tue Feb 20 10:12:34 2007 +1100
+
+    [PATCH] Fix a free-wrong-pointer bug in nfs/acl server (CVE-2007-0772)
+    
+    Due to type confusion, when an nfsacl verison 2 'ACCESS' request
+    finishes and tries to clean up, it calls fh_put on entiredly the
+    wrong thing and this can cause an oops.
+    
+    Signed-off-by: Neil Brown <neilb at suse.de>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+    Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+diff --git a/fs/nfsd/nfs2acl.c b/fs/nfsd/nfs2acl.c
+index edde5dc..b617428 100644
+--- a/fs/nfsd/nfs2acl.c
++++ b/fs/nfsd/nfs2acl.c
+@@ -287,13 +287,20 @@ static int nfsaclsvc_release_getacl(struct svc_rqst *rqstp, __be32 *p,
+ 	return 1;
+ }
+ 
+-static int nfsaclsvc_release_fhandle(struct svc_rqst *rqstp, __be32 *p,
+-		struct nfsd_fhandle *resp)
++static int nfsaclsvc_release_attrstat(struct svc_rqst *rqstp, __be32 *p,
++		struct nfsd_attrstat *resp)
+ {
+ 	fh_put(&resp->fh);
+ 	return 1;
+ }
+ 
++static int nfsaclsvc_release_access(struct svc_rqst *rqstp, __be32 *p,
++               struct nfsd3_accessres *resp)
++{
++       fh_put(&resp->fh);
++       return 1;
++}
++
+ #define nfsaclsvc_decode_voidargs	NULL
+ #define nfsaclsvc_encode_voidres	NULL
+ #define nfsaclsvc_release_void		NULL
+@@ -322,9 +329,9 @@ struct nfsd3_voidargs { int dummy; };
+ static struct svc_procedure		nfsd_acl_procedures2[] = {
+   PROC(null,	void,		void,		void,	  RC_NOCACHE, ST),
+   PROC(getacl,	getacl,		getacl,		getacl,	  RC_NOCACHE, ST+1+2*(1+ACL)),
+-  PROC(setacl,	setacl,		attrstat,	fhandle,  RC_NOCACHE, ST+AT),
+-  PROC(getattr, fhandle,	attrstat,	fhandle,  RC_NOCACHE, ST+AT),
+-  PROC(access,	access,		access,		fhandle,  RC_NOCACHE, ST+AT+1),
++  PROC(setacl,	setacl,		attrstat,	attrstat, RC_NOCACHE, ST+AT),
++  PROC(getattr, fhandle,	attrstat,	attrstat, RC_NOCACHE, ST+AT),
++  PROC(access,	access,		access,		access,   RC_NOCACHE, ST+AT+1),
+ };
+ 
+ struct svc_version	nfsd_acl_version2 = {

Added: active/CVE-2007-0958.patch
===================================================================
--- active/CVE-2007-0958.patch	2007-02-27 21:01:17 UTC (rev 709)
+++ active/CVE-2007-0958.patch	2007-02-27 21:24:37 UTC (rev 710)
@@ -0,0 +1,67 @@
+commit 1fb844961818ce94e782acf6a96b92dc2303553b
+Author: Alexey Dobriyan <adobriyan at openvz.org>
+Date:   Fri Jan 26 00:57:16 2007 -0800
+
+    [PATCH] core-dumping unreadable binaries via PT_INTERP
+    
+    Proposed patch to fix #5 in
+    http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt
+    aka
+    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1073
+    
+    To reproduce, do
+    * grab poc at the end of advisory.
+    * add line "eph.p_memsz = 4096;" after "eph.p_filesz = 4096;"
+      where first "4096" is something equal to or greater than 4096.
+    * ./poc /usr/bin/sudo && ls -l
+    
+    Here I get with 2.6.20-rc5:
+    
+     -rw------- 1 ad   ad   102400 2007-01-15 19:17 core
+     ---s--x--x 2 root root 101820 2007-01-15 19:15 /usr/bin/sudo
+    
+    Check for MAY_READ like binfmt_misc.c does.
+    
+    Signed-off-by: Alexey Dobriyan <adobriyan at openvz.org>
+    Signed-off-by: Andrew Morton <akpm at osdl.org>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+index 90461f4..669dbe5 100644
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -682,6 +682,15 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
+ 			retval = PTR_ERR(interpreter);
+ 			if (IS_ERR(interpreter))
+ 				goto out_free_interp;
++
++			/*
++			 * If the binary is not readable then enforce
++			 * mm->dumpable = 0 regardless of the interpreter's
++			 * permissions.
++			 */
++			if (file_permission(interpreter, MAY_READ) < 0)
++				bprm->interp_flags |= BINPRM_FLAGS_ENFORCE_NONDUMP;
++
+ 			retval = kernel_read(interpreter, 0, bprm->buf,
+ 					     BINPRM_BUF_SIZE);
+ 			if (retval != BINPRM_BUF_SIZE) {
+diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c
+index 6e6d456..a4d933a 100644
+--- a/fs/binfmt_elf_fdpic.c
++++ b/fs/binfmt_elf_fdpic.c
+@@ -234,6 +234,14 @@ static int load_elf_fdpic_binary(struct linux_binprm *bprm,
+ 				goto error;
+ 			}
+ 
++			/*
++			 * If the binary is not readable then enforce
++			 * mm->dumpable = 0 regardless of the interpreter's
++			 * permissions.
++			 */
++			if (file_permission(interpreter, MAY_READ) < 0)
++				bprm->interp_flags |= BINPRM_FLAGS_ENFORCE_NONDUMP;
++
+ 			retval = kernel_read(interpreter, 0, bprm->buf,
+ 					     BINPRM_BUF_SIZE);
+ 			if (retval < 0)

More information about the kernel-sec-discuss mailing list