[kernel] r14574 - in dists/etch-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Thu Nov 5 03:12:29 UTC 2009 

Author: dannf
Date: Thu Nov  5 03:12:26 2009
New Revision: 14574

Log:
NFSv4: fix open-create permissions, move iattr & verf attributes of
struct nfsd4_open out of the union (CVE-2009-3286)

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/all/nfsd4-de-union-iattr-and-verf.patch
      - copied unchanged from r14564, dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/nfsd4-de-union-iattr-and-verf.patch
   dists/etch-security/linux-2.6/debian/patches/bugfix/all/nfsd4-fix-open-create-permissions.patch
   dists/etch-security/linux-2.6/debian/patches/bugfix/all/nfsd4-reindent-do_open_lookup.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/26etch1

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog	Thu Nov  5 03:08:44 2009	(r14573)
+++ dists/etch-security/linux-2.6/debian/changelog	Thu Nov  5 03:12:26 2009	(r14574)
@@ -7,6 +7,8 @@
     getname functions (CVE-2009-3002)
   * tc: Fix uninitialized kernel memory leak (CVE-2009-3228)
   * random: make get_random_int() more random (CVE-2009-3238)
+  * NFSv4: fix open-create permissions, move iattr & verf attributes of
+    struct nfsd4_open out of the union (CVE-2009-3286)
 
  -- dann frazier <dannf at debian.org>  Tue, 15 Sep 2009 22:19:58 -0600
 

Copied: dists/etch-security/linux-2.6/debian/patches/bugfix/all/nfsd4-de-union-iattr-and-verf.patch (from r14564, dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/nfsd4-de-union-iattr-and-verf.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/all/nfsd4-de-union-iattr-and-verf.patch	Thu Nov  5 03:12:26 2009	(r14574, copy of r14564, dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/nfsd4-de-union-iattr-and-verf.patch)
@@ -0,0 +1,29 @@
+un-union iattr & verf, from 79fb54abd285b442e1f30f851902f3ddf58e7704
+
+diff -urpN linux-source-2.6.26.orig/include/linux/nfsd/xdr4.h linux-source-2.6.26/include/linux/nfsd/xdr4.h
+--- linux-source-2.6.26.orig/include/linux/nfsd/xdr4.h	2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/include/linux/nfsd/xdr4.h	2009-10-15 23:55:47.000000000 -0600
+@@ -207,10 +207,8 @@ struct nfsd4_open {
+ 	u32		op_create;     	    /* request */
+ 	u32		op_createmode;      /* request */
+ 	u32		op_bmval[2];        /* request */
+-	union {                             /* request */
+-		struct iattr	iattr;                      /* UNCHECKED4,GUARDED4 */
+-		nfs4_verifier	verf;                                /* EXCLUSIVE4 */
+-	} u;
++	struct iattr	iattr;              /* UNCHECKED4, GUARDED4, EXCLUSIVE4_1 */
++	nfs4_verifier	verf;               /* EXCLUSIVE4 */
+ 	clientid_t	op_clientid;        /* request */
+ 	struct xdr_netobj op_owner;           /* request */
+ 	u32		op_seqid;           /* request */
+@@ -224,8 +222,8 @@ struct nfsd4_open {
+ 	struct nfs4_stateowner *op_stateowner; /* used during processing */
+ 	struct nfs4_acl *op_acl;
+ };
+-#define op_iattr	u.iattr
+-#define op_verf		u.verf
++#define op_iattr	iattr
++#define op_verf		verf
+ 
+ struct nfsd4_open_confirm {
+ 	stateid_t	oc_req_stateid		/* request */;

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/all/nfsd4-fix-open-create-permissions.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/all/nfsd4-fix-open-create-permissions.patch	Thu Nov  5 03:12:26 2009	(r14574)
@@ -0,0 +1,96 @@
+commit 81ac95c5569d7a60ab5db6c1ccec56c12b3ebcb5
+Author: J. Bruce Fields <bfields at fieldses.org>
+Date:   Wed Nov 8 17:44:40 2006 -0800
+
+    [PATCH] nfsd4: fix open-create permissions
+    
+    In the case where an open creates the file, we shouldn't be rechecking
+    permissions to open the file; the open succeeds regardless of what the new
+    file's mode bits say.
+    
+    This patch fixes the problem, but only by introducing yet another parameter
+    to nfsd_create_v3.  This is ugly.  This will be fixed by later patches.
+    
+    Signed-off-by: J. Bruce Fields <bfields at citi.umich.edu>
+    Acked-by: Neil Brown <neilb at suse.de>
+    Cc: Jeff Garzik <jeff at garzik.org>
+    Signed-off-by: Andrew Morton <akpm at osdl.org>
+    Signed-off-by: Linus Torvalds <torvalds at osdl.org>
+
+Backported to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/fs/nfsd/nfs3proc.c linux-source-2.6.18/fs/nfsd/nfs3proc.c
+--- linux-source-2.6.18.orig/fs/nfsd/nfs3proc.c	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/fs/nfsd/nfs3proc.c	2009-11-04 20:03:16.000000000 -0700
+@@ -256,7 +256,7 @@ nfsd3_proc_create(struct svc_rqst *rqstp
+ 	/* Now create the file and set attributes */
+ 	nfserr = nfsd_create_v3(rqstp, dirfhp, argp->name, argp->len,
+ 				attr, newfhp,
+-				argp->createmode, argp->verf, NULL);
++				argp->createmode, argp->verf, NULL, NULL);
+ 
+ 	RETURN_STATUS(nfserr);
+ }
+diff -urpN linux-source-2.6.18.orig/fs/nfsd/nfs4proc.c linux-source-2.6.18/fs/nfsd/nfs4proc.c
+--- linux-source-2.6.18.orig/fs/nfsd/nfs4proc.c	2009-11-04 20:02:09.000000000 -0700
++++ linux-source-2.6.18/fs/nfsd/nfs4proc.c	2009-11-04 20:04:14.000000000 -0700
+@@ -93,6 +93,7 @@ do_open_lookup(struct svc_rqst *rqstp, s
+ {
+ 	struct svc_fh resfh;
+ 	int status;
++	int created = 0;
+ 
+ 	fh_init(&resfh, NFS4_FHSIZE);
+ 	open->op_truncate = 0;
+@@ -105,7 +106,7 @@ do_open_lookup(struct svc_rqst *rqstp, s
+ 		status = nfsd_create_v3(rqstp, current_fh, open->op_fname.data,
+ 					open->op_fname.len, &open->op_iattr,
+ 					&resfh, open->op_createmode,
+-					(u32 *)open->op_verf.data, &open->op_truncate);
++					(u32 *)open->op_verf.data, &open->op_truncate, &created);
+ 	} else {
+ 		status = nfsd_lookup(rqstp, current_fh,
+ 				     open->op_fname.data, open->op_fname.len, &resfh);
+@@ -122,7 +123,8 @@ do_open_lookup(struct svc_rqst *rqstp, s
+ 	memcpy(open->op_stateowner->so_replay.rp_openfh,
+ 			&resfh.fh_handle.fh_base, resfh.fh_handle.fh_size);
+ 
+-	status = do_open_permission(rqstp, current_fh, open);
++	if (!created)
++		status = do_open_permission(rqstp, current_fh, open);
+ 
+ out:
+ 	fh_put(&resfh);
+diff -urpN linux-source-2.6.18.orig/fs/nfsd/vfs.c linux-source-2.6.18/fs/nfsd/vfs.c
+--- linux-source-2.6.18.orig/fs/nfsd/vfs.c	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/fs/nfsd/vfs.c	2009-11-04 20:03:16.000000000 -0700
+@@ -1212,7 +1212,7 @@ int
+ nfsd_create_v3(struct svc_rqst *rqstp, struct svc_fh *fhp,
+ 		char *fname, int flen, struct iattr *iap,
+ 		struct svc_fh *resfhp, int createmode, u32 *verifier,
+-	        int *truncp)
++	        int *truncp, int *created)
+ {
+ 	struct dentry	*dentry, *dchild = NULL;
+ 	struct inode	*dirp;
+@@ -1305,6 +1305,8 @@ nfsd_create_v3(struct svc_rqst *rqstp, s
+ 	err = vfs_create(dirp, dchild, iap->ia_mode, NULL);
+ 	if (err < 0)
+ 		goto out_nfserr;
++	if (created)
++		*created = 1;
+ 
+ 	if (EX_ISSYNC(fhp->fh_export)) {
+ 		err = nfserrno(nfsd_sync_dir(dentry));
+diff -urpN linux-source-2.6.18.orig/include/linux/nfsd/nfsd.h linux-source-2.6.18/include/linux/nfsd/nfsd.h
+--- linux-source-2.6.18.orig/include/linux/nfsd/nfsd.h	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/include/linux/nfsd/nfsd.h	2009-11-04 20:03:36.000000000 -0700
+@@ -89,7 +89,7 @@ int		nfsd_access(struct svc_rqst *, stru
+ int		nfsd_create_v3(struct svc_rqst *, struct svc_fh *,
+ 				char *name, int len, struct iattr *attrs,
+ 				struct svc_fh *res, int createmode,
+-				u32 *verifier, int *truncp);
++				u32 *verifier, int *truncp, int *created);
+ int		nfsd_commit(struct svc_rqst *, struct svc_fh *,
+ 				loff_t, unsigned long);
+ #endif /* CONFIG_NFSD_V3 */

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/all/nfsd4-reindent-do_open_lookup.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/all/nfsd4-reindent-do_open_lookup.patch	Thu Nov  5 03:12:26 2009	(r14574)
@@ -0,0 +1,58 @@
+commit af85852de0b32d92b14295aa6f5ba3a9ad044cf6
+Author: J. Bruce Fields <bfields at fieldses.org>
+Date:   Wed Nov 8 17:44:39 2006 -0800
+
+    [PATCH] nfsd4: reindent do_open_lookup()
+    
+    Minor rearrangement, cleanup of do_open_lookup().  No change in behavior.
+    
+    Signed-off-by: J. Bruce Fields <bfields at citi.umich.edu>
+    Acked-by: Neil Brown <neilb at suse.de>
+    Cc: Jeff Garzik <jeff at garzik.org>
+    Signed-off-by: Andrew Morton <akpm at osdl.org>
+    Signed-off-by: Linus Torvalds <torvalds at osdl.org>
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/fs/nfsd/nfs4proc.c linux-source-2.6.18/fs/nfsd/nfs4proc.c
+--- linux-source-2.6.18.orig/fs/nfsd/nfs4proc.c	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/fs/nfsd/nfs4proc.c	2009-11-04 20:02:09.000000000 -0700
+@@ -106,27 +106,25 @@ do_open_lookup(struct svc_rqst *rqstp, s
+ 					open->op_fname.len, &open->op_iattr,
+ 					&resfh, open->op_createmode,
+ 					(u32 *)open->op_verf.data, &open->op_truncate);
+-	}
+-	else {
++	} else {
+ 		status = nfsd_lookup(rqstp, current_fh,
+ 				     open->op_fname.data, open->op_fname.len, &resfh);
+ 		fh_unlock(current_fh);
+ 	}
++	if (status)
++		goto out;
+ 
+-	if (!status) {
+-		set_change_info(&open->op_cinfo, current_fh);
++	set_change_info(&open->op_cinfo, current_fh);
+ 
+-		/* set reply cache */
+-		fh_dup2(current_fh, &resfh);
+-		open->op_stateowner->so_replay.rp_openfh_len =
+-			resfh.fh_handle.fh_size;
+-		memcpy(open->op_stateowner->so_replay.rp_openfh,
+-				&resfh.fh_handle.fh_base,
+-				resfh.fh_handle.fh_size);
++	/* set reply cache */
++	fh_dup2(current_fh, &resfh);
++	open->op_stateowner->so_replay.rp_openfh_len = resfh.fh_handle.fh_size;
++	memcpy(open->op_stateowner->so_replay.rp_openfh,
++			&resfh.fh_handle.fh_base, resfh.fh_handle.fh_size);
+ 
+-		status = do_open_permission(rqstp, current_fh, open);
+-	}
++	status = do_open_permission(rqstp, current_fh, open);
+ 
++out:
+ 	fh_put(&resfh);
+ 	return status;
+ }

Modified: dists/etch-security/linux-2.6/debian/patches/series/26etch1
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/26etch1	Thu Nov  5 03:08:44 2009	(r14573)
+++ dists/etch-security/linux-2.6/debian/patches/series/26etch1	Thu Nov  5 03:12:26 2009	(r14574)
@@ -7,3 +7,6 @@
 + bugfix/all/netrom-fix-nr_getname-leak.patch
 + bugfix/all/tc-fix-pad-leak.patch
 + bugfix/all/random-make-get_random_int-more-random.patch
++ bugfix/all/nfsd4-reindent-do_open_lookup.patch
++ bugfix/all/nfsd4-fix-open-create-permissions.patch
++ bugfix/all/nfsd4-de-union-iattr-and-verf.patch

More information about the Kernel-svn-changes mailing list