[kernel] r11321 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series

Dann Frazier dannf at alioth.debian.org
Wed May 7 05:24:50 UTC 2008 

Author: dannf
Date: Wed May  7 05:24:49 2008
New Revision: 11321

Log:
* bugfix/fcntl_setlk-close-race.patch
  [SECURITY] Fix an SMP race to prevent reordering of flock updates
  and accesses to the descriptor table on close().
  See CVE-2008-1669

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/fcntl_setlk-close-race.patch
   dists/etch-security/linux-2.6/debian/patches/series/18etch4
Modified:
   dists/etch-security/linux-2.6/debian/changelog

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog	(original)
+++ dists/etch-security/linux-2.6/debian/changelog	Wed May  7 05:24:49 2008
@@ -1,3 +1,12 @@
+linux-2.6 (2.6.18.dfsg.1-18etch4) UNRELEASED; urgency=high
+
+  * bugfix/fcntl_setlk-close-race.patch
+    [SECURITY] Fix an SMP race to prevent reordering of flock updates
+    and accesses to the descriptor table on close().
+    See CVE-2008-1669
+
+ -- dann frazier <dannf at debian.org>  Tue, 06 May 2008 17:38:45 -0600
+
 linux-2.6 (2.6.18.dfsg.1-18etch3) stable-security; urgency=high
 
   * Wrap added code in bugfix/dnotify-race-avoid-abi-change.patch in

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/fcntl_setlk-close-race.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/fcntl_setlk-close-race.patch	Wed May  7 05:24:49 2008
@@ -0,0 +1,76 @@
+commit 0b2bac2f1ea0d33a3621b27ca68b9ae760fca2e9
+Author: Al Viro <viro at zeniv.linux.org.uk>
+Date:   Tue May 6 13:58:34 2008 -0400
+
+    [PATCH] fix SMP ordering hole in fcntl_setlk()
+    
+    fcntl_setlk()/close() race prevention has a subtle hole - we need to
+    make sure that if we *do* have an fcntl/close race on SMP box, the
+    access to descriptor table and inode->i_flock won't get reordered.
+    
+    As it is, we get STORE inode->i_flock, LOAD descriptor table entry vs.
+    STORE descriptor table entry, LOAD inode->i_flock with not a single
+    lock in common on both sides.  We do have BKL around the first STORE,
+    but check in locks_remove_posix() is outside of BKL and for a good
+    reason - we don't want BKL on common path of close(2).
+    
+    Solution is to hold ->file_lock around fcheck() in there; that orders
+    us wrt removal from descriptor table that preceded locks_remove_posix()
+    on close path and we either come first (in which case eviction will be
+    handled by the close side) or we'll see the effect of close and do
+    eviction ourselves.  Note that even though it's read-only access,
+    we do need ->file_lock here - rcu_read_lock() won't be enough to
+    order the things.
+    
+    Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at hp.com>
+
+diff -urpN linux-source-2.6.18.orig/fs/locks.c linux-source-2.6.18/fs/locks.c
+--- linux-source-2.6.18.orig/fs/locks.c	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/fs/locks.c	2008-05-06 17:02:29.000000000 -0600
+@@ -1680,6 +1680,7 @@ int fcntl_setlk(unsigned int fd, struct 
+ 	struct file_lock *file_lock = locks_alloc_lock();
+ 	struct flock flock;
+ 	struct inode *inode;
++	struct file *f;
+ 	int error;
+ 
+ 	if (file_lock == NULL)
+@@ -1754,7 +1755,15 @@ again:
+ 	 * Attempt to detect a close/fcntl race and recover by
+ 	 * releasing the lock that was just acquired.
+ 	 */
+-	if (!error && fcheck(fd) != filp && flock.l_type != F_UNLCK) {
++	/*
++	 * we need that spin_lock here - it prevents reordering between
++	 * update of inode->i_flock and check for it done in close().
++	 * rcu_read_lock() wouldn't do.
++	 */
++	spin_lock(&current->files->file_lock);
++	f = fcheck(fd);
++	spin_unlock(&current->files->file_lock);
++	if (!error && f != filp && flock.l_type != F_UNLCK) {
+ 		flock.l_type = F_UNLCK;
+ 		goto again;
+ 	}
+@@ -1823,6 +1832,7 @@ int fcntl_setlk64(unsigned int fd, struc
+ 	struct file_lock *file_lock = locks_alloc_lock();
+ 	struct flock64 flock;
+ 	struct inode *inode;
++	struct file *f;
+ 	int error;
+ 
+ 	if (file_lock == NULL)
+@@ -1897,7 +1907,10 @@ again:
+ 	 * Attempt to detect a close/fcntl race and recover by
+ 	 * releasing the lock that was just acquired.
+ 	 */
+-	if (!error && fcheck(fd) != filp && flock.l_type != F_UNLCK) {
++	spin_lock(&current->files->file_lock);
++	f = fcheck(fd);
++	spin_unlock(&current->files->file_lock);
++	if (!error && f != filp && flock.l_type != F_UNLCK) {
+ 		flock.l_type = F_UNLCK;
+ 		goto again;
+ 	}

Added: dists/etch-security/linux-2.6/debian/patches/series/18etch4
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/series/18etch4	Wed May  7 05:24:49 2008
@@ -0,0 +1 @@
++ bugfix/fcntl_setlk-close-race.patch

More information about the Kernel-svn-changes mailing list