[linux] 02/02: ipc: Initialize msg/shm IPC objects before doing ipc_addid() (CVE-2015-7613)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Fri Oct 2 14:15:26 UTC 2015 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch jessie-security
in repository linux.

commit 8233cb8a0d4737149e7f7487b73e459afa470fa5
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Fri Oct 2 07:37:27 2015 +0200

    ipc: Initialize msg/shm IPC objects before doing ipc_addid() (CVE-2015-7613)
---
 debian/changelog                                   |   2 +
 ...sg-shm-IPC-objects-before-doing-ipc_addid.patch | 108 +++++++++++++++++++++
 debian/patches/series                              |   1 +
 3 files changed, 111 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index b1c36f3..80b12a0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,8 @@ linux (3.16.7-ckt11-1+deb8u5) UNRELEASED; urgency=medium
 
   [ Salvatore Bonaccorso ]
   * ipc: fully initialize sem_array before making it visible
+  * ipc: Initialize msg/shm IPC objects before doing ipc_addid()
+    (CVE-2015-7613)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Fri, 02 Oct 2015 02:39:36 +0100
 
diff --git a/debian/patches/bugfix/all/Initialize-msg-shm-IPC-objects-before-doing-ipc_addid.patch b/debian/patches/bugfix/all/Initialize-msg-shm-IPC-objects-before-doing-ipc_addid.patch
new file mode 100644
index 0000000..aed863b
--- /dev/null
+++ b/debian/patches/bugfix/all/Initialize-msg-shm-IPC-objects-before-doing-ipc_addid.patch
@@ -0,0 +1,108 @@
+From: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Wed, 30 Sep 2015 12:48:40 -0400
+Subject: Initialize msg/shm IPC objects before doing ipc_addid()
+Origin: https://git.kernel.org/linus/b9a532277938798b53178d5a66af6e2915cb27cf
+
+As reported by Dmitry Vyukov, we really shouldn't do ipc_addid() before
+having initialized the IPC object state.  Yes, we initialize the IPC
+object in a locked state, but with all the lockless RCU lookup work,
+that IPC object lock no longer means that the state cannot be seen.
+
+We already did this for the IPC semaphore code (see commit e8577d1f0329:
+"ipc/sem.c: fully initialize sem_array before making it visible") but we
+clearly forgot about msg and shm.
+
+Reported-by: Dmitry Vyukov <dvyukov at google.com>
+Cc: Manfred Spraul <manfred at colorfullife.com>
+Cc: Davidlohr Bueso <dbueso at suse.de>
+Cc: stable at vger.kernel.org
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+[carnil: Backported to 3.16: adjust context]
+---
+ ipc/msg.c  | 14 +++++++-------
+ ipc/shm.c  | 13 +++++++------
+ ipc/util.c |  8 ++++----
+ 3 files changed, 18 insertions(+), 17 deletions(-)
+
+--- a/ipc/msg.c
++++ b/ipc/msg.c
+@@ -137,13 +137,6 @@ static int newque(struct ipc_namespace *
+ 		return retval;
+ 	}
+ 
+-	/* ipc_addid() locks msq upon success. */
+-	id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni);
+-	if (id < 0) {
+-		ipc_rcu_putref(msq, msg_rcu_free);
+-		return id;
+-	}
+-
+ 	msq->q_stime = msq->q_rtime = 0;
+ 	msq->q_ctime = get_seconds();
+ 	msq->q_cbytes = msq->q_qnum = 0;
+@@ -153,6 +146,13 @@ static int newque(struct ipc_namespace *
+ 	INIT_LIST_HEAD(&msq->q_receivers);
+ 	INIT_LIST_HEAD(&msq->q_senders);
+ 
++	/* ipc_addid() locks msq upon success. */
++	id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni);
++	if (id < 0) {
++		ipc_rcu_putref(msq, msg_rcu_free);
++		return id;
++	}
++
+ 	ipc_unlock_object(&msq->q_perm);
+ 	rcu_read_unlock();
+ 
+--- a/ipc/shm.c
++++ b/ipc/shm.c
+@@ -547,12 +547,6 @@ static int newseg(struct ipc_namespace *
+ 	if (IS_ERR(file))
+ 		goto no_file;
+ 
+-	id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni);
+-	if (id < 0) {
+-		error = id;
+-		goto no_id;
+-	}
+-
+ 	shp->shm_cprid = task_tgid_vnr(current);
+ 	shp->shm_lprid = 0;
+ 	shp->shm_atim = shp->shm_dtim = 0;
+@@ -562,6 +556,12 @@ static int newseg(struct ipc_namespace *
+ 	shp->shm_file = file;
+ 	shp->shm_creator = current;
+ 
++	id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni);
++	if (id < 0) {
++		error = id;
++		goto no_id;
++	}
++
+ 	/*
+ 	 * shmid gets reported as "inode#" in /proc/pid/maps.
+ 	 * proc-ps tools use this. Changing this will break them.
+--- a/ipc/util.c
++++ b/ipc/util.c
+@@ -277,6 +277,10 @@ int ipc_addid(struct ipc_ids *ids, struc
+ 	rcu_read_lock();
+ 	spin_lock(&new->lock);
+ 
++	current_euid_egid(&euid, &egid);
++	new->cuid = new->uid = euid;
++	new->gid = new->cgid = egid;
++
+ 	id = idr_alloc(&ids->ipcs_idr, new,
+ 		       (next_id < 0) ? 0 : ipcid_to_idx(next_id), 0,
+ 		       GFP_NOWAIT);
+@@ -289,10 +293,6 @@ int ipc_addid(struct ipc_ids *ids, struc
+ 
+ 	ids->in_use++;
+ 
+-	current_euid_egid(&euid, &egid);
+-	new->cuid = new->uid = euid;
+-	new->gid = new->cgid = egid;
+-
+ 	if (next_id < 0) {
+ 		new->seq = ids->seq++;
+ 		if (ids->seq > IPCID_SEQ_MAX)
diff --git a/debian/patches/series b/debian/patches/series
index efc1d6c..e7529f0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -651,3 +651,4 @@ bugfix/all/vfs-test-for-and-handle-paths-that-are-unreachable-f.patch
 bugfix/all/usb-whiteheat-fix-potential-null-deref-at-probe.patch
 bugfix/all/sctp-fix-race-on-protocol-netns-initialization.patch
 bugfix/all/ipc-sem.c-fully-initialize-sem_array-before-making-i.patch
+bugfix/all/Initialize-msg-shm-IPC-objects-before-doing-ipc_addid.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list