[kernel] r20102 - in dists/wheezy-security/linux/debian: . patches patches/bugfix/all

Dann Frazier dannf at alioth.debian.org
Wed May 15 03:07:48 UTC 2013 

Author: dannf
Date: Wed May 15 03:07:47 2013
New Revision: 20102

Log:
net: fix incorrect credentials passing (CVE-2013-1979)

Added:
   dists/wheezy-security/linux/debian/patches/bugfix/all/net-fix-incorrect-credentials-passing.patch
Modified:
   dists/wheezy-security/linux/debian/changelog
   dists/wheezy-security/linux/debian/patches/series

Modified: dists/wheezy-security/linux/debian/changelog
==============================================================================
--- dists/wheezy-security/linux/debian/changelog	Wed May 15 02:12:41 2013	(r20101)
+++ dists/wheezy-security/linux/debian/changelog	Wed May 15 03:07:47 2013	(r20102)
@@ -24,6 +24,7 @@
   [ Ben Hutchings ]
   * [x86] KVM: Allow cross page reads and writes from cached translations.
     (fixes regression in fix for CVE-2013-1796)
+  * net: fix incorrect credentials passing (CVE-2013-1979)
 
  -- dann frazier <dannf at debian.org>  Tue, 14 May 2013 11:48:39 -0600
 

Added: dists/wheezy-security/linux/debian/patches/bugfix/all/net-fix-incorrect-credentials-passing.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/wheezy-security/linux/debian/patches/bugfix/all/net-fix-incorrect-credentials-passing.patch	Wed May 15 03:07:47 2013	(r20102)
@@ -0,0 +1,87 @@
+From 5428146ebea24b916eb9e3684449699cb6a5c8c0 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Fri, 19 Apr 2013 15:32:32 +0000
+Subject: [PATCH] net: fix incorrect credentials passing
+
+commit 83f1b4ba917db5dc5a061a44b3403ddb6e783494 upstream.
+
+Commit 257b5358b32f ("scm: Capture the full credentials of the scm
+sender") changed the credentials passing code to pass in the effective
+uid/gid instead of the real uid/gid.
+
+Obviously this doesn't matter most of the time (since normally they are
+the same), but it results in differences for suid binaries when the wrong
+uid/gid ends up being used.
+
+This just undoes that (presumably unintentional) part of the commit.
+
+Reported-by: Andy Lutomirski <luto at amacapital.net>
+Cc: Eric W. Biederman <ebiederm at xmission.com>
+Cc: Serge E. Hallyn <serge at hallyn.com>
+Cc: David S. Miller <davem at davemloft.net>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Acked-by: "Eric W. Biederman" <ebiederm at xmission.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Backported to 3.2: scm_set_cred() does user namespace conversion
+ of euid/egid using cred_to_ucred().  Add and use cred_real_to_ucred() to
+ do the same thing for real uid/gid.]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ include/linux/socket.h |    1 +
+ include/net/scm.h      |    2 +-
+ net/core/sock.c        |   14 ++++++++++++++
+ 3 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/socket.h b/include/linux/socket.h
+index ad919e0..2acd2e2 100644
+--- a/include/linux/socket.h
++++ b/include/linux/socket.h
+@@ -317,6 +317,7 @@ struct ucred {
+ #define IPX_TYPE	1
+ 
+ extern void cred_to_ucred(struct pid *pid, const struct cred *cred, struct ucred *ucred);
++extern void cred_real_to_ucred(struct pid *pid, const struct cred *cred, struct ucred *ucred);
+ 
+ extern int memcpy_fromiovec(unsigned char *kdata, struct iovec *iov, int len);
+ extern int memcpy_fromiovecend(unsigned char *kdata, const struct iovec *iov,
+diff --git a/include/net/scm.h b/include/net/scm.h
+index 0c0017c..5da0a7b 100644
+--- a/include/net/scm.h
++++ b/include/net/scm.h
+@@ -50,7 +50,7 @@ static __inline__ void scm_set_cred(struct scm_cookie *scm,
+ {
+ 	scm->pid  = get_pid(pid);
+ 	scm->cred = cred ? get_cred(cred) : NULL;
+-	cred_to_ucred(pid, cred, &scm->creds);
++	cred_real_to_ucred(pid, cred, &scm->creds);
+ }
+ 
+ static __inline__ void scm_destroy_cred(struct scm_cookie *scm)
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 1e8a882..2c73adf 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -761,6 +761,20 @@ void cred_to_ucred(struct pid *pid, const struct cred *cred,
+ }
+ EXPORT_SYMBOL_GPL(cred_to_ucred);
+ 
++void cred_real_to_ucred(struct pid *pid, const struct cred *cred,
++			struct ucred *ucred)
++{
++	ucred->pid = pid_vnr(pid);
++	ucred->uid = ucred->gid = -1;
++	if (cred) {
++		struct user_namespace *current_ns = current_user_ns();
++
++		ucred->uid = user_ns_map_uid(current_ns, cred, cred->uid);
++		ucred->gid = user_ns_map_gid(current_ns, cred, cred->gid);
++	}
++}
++EXPORT_SYMBOL_GPL(cred_real_to_ucred);
++
+ int sock_getsockopt(struct socket *sock, int level, int optname,
+ 		    char __user *optval, int __user *optlen)
+ {
+-- 
+1.7.10.4
+

Modified: dists/wheezy-security/linux/debian/patches/series
==============================================================================
--- dists/wheezy-security/linux/debian/patches/series	Wed May 15 02:12:41 2013	(r20101)
+++ dists/wheezy-security/linux/debian/patches/series	Wed May 15 03:07:47 2013	(r20102)
@@ -658,3 +658,4 @@
 bugfix/all/tipc-fix-info-leaks-via-msg_name-in-recv_msg-recv_st.patch
 bugfix/all/tracing-Fix-possible-NULL-pointer-dereferences.patch
 bugfix/x86/KVM-Allow-cross-page-reads-and-writes-from-cached-tr.patch
+bugfix/all/net-fix-incorrect-credentials-passing.patch

More information about the Kernel-svn-changes mailing list