[kernel] r20084 - in dists/wheezy-security/linux/debian: . patches patches/bugfix/all
Dann Frazier
dannf at alioth.debian.org
Tue May 14 23:29:07 UTC 2013
Author: dannf
Date: Tue May 14 23:29:06 2013
New Revision: 20084
Log:
TTY: fix timing leak with /dev/ptmx (CVE-2013-0160)
Added:
dists/wheezy-security/linux/debian/patches/bugfix/all/TTY-do-not-update-atime-mtime-on-read-write.patch
dists/wheezy-security/linux/debian/patches/bugfix/all/TTY-fix-atime-mtime-regression.patch
dists/wheezy-security/linux/debian/patches/bugfix/all/tty-fix-up-atime-mtime-mess-take-three.patch
Modified:
dists/wheezy-security/linux/debian/changelog
dists/wheezy-security/linux/debian/patches/series
Modified: dists/wheezy-security/linux/debian/changelog
==============================================================================
--- dists/wheezy-security/linux/debian/changelog Tue May 14 18:13:35 2013 (r20083)
+++ dists/wheezy-security/linux/debian/changelog Tue May 14 23:29:06 2013 (r20084)
@@ -1,6 +1,7 @@
linux (3.2.41-2+deb7u1) UNRELEASED; urgency=high
* perf: Treat attr.config as u64 in perf_swevent_init() (CVE-2013-2094)
+ * TTY: fix timing leak with /dev/ptmx (CVE-2013-0160)
-- dann frazier <dannf at debian.org> Tue, 14 May 2013 11:48:39 -0600
Added: dists/wheezy-security/linux/debian/patches/bugfix/all/TTY-do-not-update-atime-mtime-on-read-write.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy-security/linux/debian/patches/bugfix/all/TTY-do-not-update-atime-mtime-on-read-write.patch Tue May 14 23:29:06 2013 (r20084)
@@ -0,0 +1,57 @@
+From c29ad805df8c54a9f5d74c66bf5d4a2d449bd99a Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby at suse.cz>
+Date: Fri, 15 Feb 2013 15:25:05 +0100
+Subject: [PATCH] TTY: do not update atime/mtime on read/write
+
+commit b0de59b5733d18b0d1974a060860a8b5c1b36a2e upstream.
+
+On http://vladz.devzero.fr/013_ptmx-timing.php, we can see how to find
+out length of a password using timestamps of /dev/ptmx. It is
+documented in "Timing Analysis of Keystrokes and Timing Attacks on
+SSH". To avoid that problem, do not update time when reading
+from/writing to a TTY.
+
+I am afraid of regressions as this is a behavior we have since 0.97
+and apps may expect the time to be current, e.g. for monitoring
+whether there was a change on the TTY. Now, there is no change. So
+this would better have a lot of testing before it goes upstream.
+
+References: CVE-2013-0160
+
+Signed-off-by: Jiri Slaby <jslaby at suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/tty/tty_io.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
+index 05085be..f3ad3ec 100644
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -976,8 +976,7 @@ static ssize_t tty_read(struct file *file, char __user *buf, size_t count,
+ else
+ i = -EIO;
+ tty_ldisc_deref(ld);
+- if (i > 0)
+- inode->i_atime = current_fs_time(inode->i_sb);
++
+ return i;
+ }
+
+@@ -1078,11 +1077,8 @@ static inline ssize_t do_tty_write(
+ break;
+ cond_resched();
+ }
+- if (written) {
+- struct inode *inode = file->f_path.dentry->d_inode;
+- inode->i_mtime = current_fs_time(inode->i_sb);
++ if (written)
+ ret = written;
+- }
+ out:
+ tty_write_unlock(tty);
+ return ret;
+--
+1.7.10.4
+
Added: dists/wheezy-security/linux/debian/patches/bugfix/all/TTY-fix-atime-mtime-regression.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy-security/linux/debian/patches/bugfix/all/TTY-fix-atime-mtime-regression.patch Tue May 14 23:29:06 2013 (r20084)
@@ -0,0 +1,71 @@
+From 0b28f5865ef23d2bcee122d75b4aea1e2f052624 Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby at suse.cz>
+Date: Fri, 26 Apr 2013 13:48:53 +0200
+Subject: [PATCH] TTY: fix atime/mtime regression
+
+commit 37b7f3c76595e23257f61bd80b223de8658617ee upstream.
+
+In commit b0de59b5733d ("TTY: do not update atime/mtime on read/write")
+we removed timestamps from tty inodes to fix a security issue and waited
+if something breaks. Well, 'w', the utility to find out logged users
+and their inactivity time broke. It shows that users are inactive since
+the time they logged in.
+
+To revert to the old behaviour while still preventing attackers to
+guess the password length, we update the timestamps in one-minute
+intervals by this patch.
+
+Signed-off-by: Jiri Slaby <jslaby at suse.cz>
+Cc: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+[bwh: For 3.2, use Greg's backported version]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/tty/tty_io.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
+index f3ad3ec..c7131a9 100644
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -940,6 +940,14 @@ void start_tty(struct tty_struct *tty)
+
+ EXPORT_SYMBOL(start_tty);
+
++static void tty_update_time(struct timespec *time)
++{
++ unsigned long sec = get_seconds();
++ sec -= sec % 60;
++ if ((long)(sec - time->tv_sec) > 0)
++ time->tv_sec = sec;
++}
++
+ /**
+ * tty_read - read method for tty device files
+ * @file: pointer to tty file
+@@ -977,6 +985,9 @@ static ssize_t tty_read(struct file *file, char __user *buf, size_t count,
+ i = -EIO;
+ tty_ldisc_deref(ld);
+
++ if (i > 0)
++ tty_update_time(&inode->i_atime);
++
+ return i;
+ }
+
+@@ -1077,8 +1088,11 @@ static inline ssize_t do_tty_write(
+ break;
+ cond_resched();
+ }
+- if (written)
++ if (written) {
++ struct inode *inode = file->f_path.dentry->d_inode;
++ tty_update_time(&inode->i_mtime);
+ ret = written;
++ }
+ out:
+ tty_write_unlock(tty);
+ return ret;
+--
+1.7.10.4
+
Added: dists/wheezy-security/linux/debian/patches/bugfix/all/tty-fix-up-atime-mtime-mess-take-three.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy-security/linux/debian/patches/bugfix/all/tty-fix-up-atime-mtime-mess-take-three.patch Tue May 14 23:29:06 2013 (r20084)
@@ -0,0 +1,68 @@
+From cd945654552d978b84c0825c7206b2d0667a1272 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Wed, 1 May 2013 07:32:21 -0700
+Subject: [PATCH] tty: fix up atime/mtime mess, take three
+
+commit b0b885657b6c8ef63a46bc9299b2a7715d19acde upstream.
+
+We first tried to avoid updating atime/mtime entirely (commit
+b0de59b5733d: "TTY: do not update atime/mtime on read/write"), and then
+limited it to only update it occasionally (commit 37b7f3c76595: "TTY:
+fix atime/mtime regression"), but it turns out that this was both
+insufficient and overkill.
+
+It was insufficient because we let people attach to the shared ptmx node
+to see activity without even reading atime/mtime, and it was overkill
+because the "only once a minute" means that you can't really tell an
+idle person from an active one with 'w'.
+
+So this tries to fix the problem properly. It marks the shared ptmx
+node as un-notifiable, and it lowers the "only once a minute" to a few
+seconds instead - still long enough that you can't time individual
+keystrokes, but short enough that you can tell whether somebody is
+active or not.
+
+Reported-by: Simon Kirby <sim at hostway.ca>
+Acked-by: Jiri Slaby <jslaby at suse.cz>
+Cc: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/tty/pty.c | 3 +++
+ drivers/tty/tty_io.c | 4 ++--
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c
+index d19b879..4735928 100644
+--- a/drivers/tty/pty.c
++++ b/drivers/tty/pty.c
+@@ -669,6 +669,9 @@ static int ptmx_open(struct inode *inode, struct file *filp)
+
+ nonseekable_open(inode, filp);
+
++ /* We refuse fsnotify events on ptmx, since it's a shared resource */
++ filp->f_mode |= FMODE_NONOTIFY;
++
+ retval = tty_alloc_file(filp);
+ if (retval)
+ return retval;
+diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
+index c7131a9..3f35e42 100644
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -940,10 +940,10 @@ void start_tty(struct tty_struct *tty)
+
+ EXPORT_SYMBOL(start_tty);
+
++/* We limit tty time update visibility to every 8 seconds or so. */
+ static void tty_update_time(struct timespec *time)
+ {
+- unsigned long sec = get_seconds();
+- sec -= sec % 60;
++ unsigned long sec = get_seconds() & ~7;
+ if ((long)(sec - time->tv_sec) > 0)
+ time->tv_sec = sec;
+ }
+--
+1.7.10.4
+
Modified: dists/wheezy-security/linux/debian/patches/series
==============================================================================
--- dists/wheezy-security/linux/debian/patches/series Tue May 14 18:13:35 2013 (r20083)
+++ dists/wheezy-security/linux/debian/patches/series Tue May 14 23:29:06 2013 (r20084)
@@ -640,3 +640,6 @@
bugfix/x86/KVM-x86-Convert-MSR_KVM_SYSTEM_TIME-to-use-gfn_to_hv.patch
bugfix/all/KVM-Fix-bounds-checking-in-ioapic-indirect-register-.patch
bugfix/all/perf-Treat-attr.config-as-u64-in-perf_swevent_init.patch
+bugfix/all/TTY-do-not-update-atime-mtime-on-read-write.patch
+bugfix/all/TTY-fix-atime-mtime-regression.patch
+bugfix/all/tty-fix-up-atime-mtime-mess-take-three.patch
More information about the Kernel-svn-changes
mailing list