[kernel] r22533 - in dists/wheezy-security/linux/debian: . patches patches/bugfix/all

Ben Hutchings benh at moszumanska.debian.org
Fri Apr 24 15:19:26 UTC 2015 

Author: benh
Date: Fri Apr 24 15:19:26 2015
New Revision: 22533

Log:
fs: take i_mutex during prepare_binprm for set[ug]id executables (CVE-2015-3339)

Added:
   dists/wheezy-security/linux/debian/patches/bugfix/all/fs-take-i_mutex-during-prepare_binprm-for-set-ug-id-.patch
Modified:
   dists/wheezy-security/linux/debian/changelog
   dists/wheezy-security/linux/debian/patches/series

Modified: dists/wheezy-security/linux/debian/changelog
==============================================================================
--- dists/wheezy-security/linux/debian/changelog	Fri Apr 24 15:06:01 2015	(r22532)
+++ dists/wheezy-security/linux/debian/changelog	Fri Apr 24 15:19:26 2015	(r22533)
@@ -13,6 +13,8 @@
   * ipv6: Don't reduce hop limit for an interface (CVE-2015-2922)
   * [x86] crypto: aesni - fix memory usage in GCM decryption (Closes: #782561)
     (CVE-2015-3331)
+  * fs: take i_mutex during prepare_binprm for set[ug]id executables
+    (CVE-2015-3339)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Mon, 13 Apr 2015 00:33:14 +0100
 

Added: dists/wheezy-security/linux/debian/patches/bugfix/all/fs-take-i_mutex-during-prepare_binprm-for-set-ug-id-.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/wheezy-security/linux/debian/patches/bugfix/all/fs-take-i_mutex-during-prepare_binprm-for-set-ug-id-.patch	Fri Apr 24 15:19:26 2015	(r22533)
@@ -0,0 +1,105 @@
+From: Jann Horn <jann at thejh.net>
+Date: Sun, 19 Apr 2015 02:48:39 +0200
+Subject: fs: take i_mutex during prepare_binprm for set[ug]id executables
+Origin: https://git.kernel.org/linus/8b01fc86b9f425899f8a3a8fc1c47d73c2c20543
+
+This prevents a race between chown() and execve(), where chowning a
+setuid-user binary to root would momentarily make the binary setuid
+root.
+
+This patch was mostly written by Linus Torvalds.
+
+Signed-off-by: Jann Horn <jann at thejh.net>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+[bwh: Backported to 3.2:
+ - Drop the task_no_new_privs() and user namespace checks
+ - Open-code file_inode()
+ - s/READ_ONCE/ACCESS_ONCE/
+ - Adjust context]
+---
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -1282,6 +1282,45 @@ int check_unsafe_exec(struct linux_binpr
+ 	return res;
+ }
+ 
++static void bprm_fill_uid(struct linux_binprm *bprm)
++{
++	struct inode *inode;
++	unsigned int mode;
++	uid_t uid;
++	gid_t gid;
++
++	/* clear any previous set[ug]id data from a previous binary */
++	bprm->cred->euid = current_euid();
++	bprm->cred->egid = current_egid();
++
++	if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
++		return;
++
++	inode = bprm->file->f_path.dentry->d_inode;
++	mode = ACCESS_ONCE(inode->i_mode);
++	if (!(mode & (S_ISUID|S_ISGID)))
++		return;
++
++	/* Be careful if suid/sgid is set */
++	mutex_lock(&inode->i_mutex);
++
++	/* reload atomically mode/uid/gid now that lock held */
++	mode = inode->i_mode;
++	uid = inode->i_uid;
++	gid = inode->i_gid;
++	mutex_unlock(&inode->i_mutex);
++
++	if (mode & S_ISUID) {
++		bprm->per_clear |= PER_CLEAR_ON_SETID;
++		bprm->cred->euid = uid;
++	}
++
++	if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
++		bprm->per_clear |= PER_CLEAR_ON_SETID;
++		bprm->cred->egid = gid;
++	}
++}
++
+ /* 
+  * Fill the binprm structure from the inode. 
+  * Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes
+@@ -1290,36 +1329,12 @@ int check_unsafe_exec(struct linux_binpr
+  */
+ int prepare_binprm(struct linux_binprm *bprm)
+ {
+-	umode_t mode;
+-	struct inode * inode = bprm->file->f_path.dentry->d_inode;
+ 	int retval;
+ 
+-	mode = inode->i_mode;
+ 	if (bprm->file->f_op == NULL)
+ 		return -EACCES;
+ 
+-	/* clear any previous set[ug]id data from a previous binary */
+-	bprm->cred->euid = current_euid();
+-	bprm->cred->egid = current_egid();
+-
+-	if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)) {
+-		/* Set-uid? */
+-		if (mode & S_ISUID) {
+-			bprm->per_clear |= PER_CLEAR_ON_SETID;
+-			bprm->cred->euid = inode->i_uid;
+-		}
+-
+-		/* Set-gid? */
+-		/*
+-		 * If setgid is set but no group execute bit then this
+-		 * is a candidate for mandatory locking, not a setgid
+-		 * executable.
+-		 */
+-		if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
+-			bprm->per_clear |= PER_CLEAR_ON_SETID;
+-			bprm->cred->egid = inode->i_gid;
+-		}
+-	}
++	bprm_fill_uid(bprm);
+ 
+ 	/* fill in binprm security blob */
+ 	retval = security_bprm_set_creds(bprm);

Modified: dists/wheezy-security/linux/debian/patches/series
==============================================================================
--- dists/wheezy-security/linux/debian/patches/series	Fri Apr 24 15:06:01 2015	(r22532)
+++ dists/wheezy-security/linux/debian/patches/series	Fri Apr 24 15:19:26 2015	(r22533)
@@ -1165,3 +1165,4 @@
 bugfix/x86/x86-asm-entry-64-remove-a-bogus-ret_from_fork-optimi.patch
 bugfix/all/ipv6-don-t-reduce-hop-limit-for-an-interface.patch
 bugfix/x86/crypto-aesni-fix-memory-usage-in-GCM-decryption.patch
+bugfix/all/fs-take-i_mutex-during-prepare_binprm-for-set-ug-id-.patch

More information about the Kernel-svn-changes mailing list