[linux] 02/02: Fix ipc init vs lookup races including CVE-2015-7613

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Sun Oct 4 23:40:04 UTC 2015 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch squeeze-security
in repository linux.

commit 42074310f11792341ec8cddbb5e1d89220933051
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Mon Oct 5 00:36:59 2015 +0100

    Fix ipc init vs lookup races including CVE-2015-7613
---
 debian/changelog                                   |   3 +
 ...msg-shm-IPC-objects-before-doing-ipc_addi.patch | 110 +++++++++++++++++++++
 ...ully-initialize-sem_array-before-making-i.patch |  55 +++++++++++
 debian/patches/series/48squeeze15                  |   3 +
 4 files changed, 171 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 6f42795..01b9ef2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,9 @@
 linux-2.6 (2.6.32-48squeeze15) UNRELEASED; urgency=medium
 
   * USB: whiteheat: fix potential null-deref at probe (CVE-2015-5257)
+  * ipc/sem.c: fully initialize sem_array before making it visible
+  * ipc: Initialize msg/shm IPC objects before doing ipc_addid()
+    (CVE-2015-7613)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Fri, 02 Oct 2015 02:34:23 +0100
 
diff --git a/debian/patches/bugfix/all/Initialize-msg-shm-IPC-objects-before-doing-ipc_addi.patch b/debian/patches/bugfix/all/Initialize-msg-shm-IPC-objects-before-doing-ipc_addi.patch
new file mode 100644
index 0000000..5c7d7cb
--- /dev/null
+++ b/debian/patches/bugfix/all/Initialize-msg-shm-IPC-objects-before-doing-ipc_addi.patch
@@ -0,0 +1,110 @@
+From: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Wed, 30 Sep 2015 12:48:40 -0400
+Subject: Initialize msg/shm IPC objects before doing ipc_addid()
+Origin: https://git.kernel.org/linus/b9a532277938798b53178d5a66af6e2915cb27cf
+
+As reported by Dmitry Vyukov, we really shouldn't do ipc_addid() before
+having initialized the IPC object state.  Yes, we initialize the IPC
+object in a locked state, but with all the lockless RCU lookup work,
+that IPC object lock no longer means that the state cannot be seen.
+
+We already did this for the IPC semaphore code (see commit e8577d1f0329:
+"ipc/sem.c: fully initialize sem_array before making it visible") but we
+clearly forgot about msg and shm.
+
+Reported-by: Dmitry Vyukov <dvyukov at google.com>
+Cc: Manfred Spraul <manfred at colorfullife.com>
+Cc: Davidlohr Bueso <dbueso at suse.de>
+Cc: stable at vger.kernel.org
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+[bwh: Backported to 2.6.32:
+ - Adjust context
+ - The error path being moved looks a little different]
+---
+--- a/ipc/msg.c
++++ b/ipc/msg.c
+@@ -199,6 +199,15 @@ static int newque(struct ipc_namespace *
+ 		return retval;
+ 	}
+ 
++	msq->q_stime = msq->q_rtime = 0;
++	msq->q_ctime = get_seconds();
++	msq->q_cbytes = msq->q_qnum = 0;
++	msq->q_qbytes = ns->msg_ctlmnb;
++	msq->q_lspid = msq->q_lrpid = 0;
++	INIT_LIST_HEAD(&msq->q_messages);
++	INIT_LIST_HEAD(&msq->q_receivers);
++	INIT_LIST_HEAD(&msq->q_senders);
++
+ 	/*
+ 	 * ipc_addid() locks msq
+ 	 */
+@@ -209,15 +218,6 @@ static int newque(struct ipc_namespace *
+ 		return id;
+ 	}
+ 
+-	msq->q_stime = msq->q_rtime = 0;
+-	msq->q_ctime = get_seconds();
+-	msq->q_cbytes = msq->q_qnum = 0;
+-	msq->q_qbytes = ns->msg_ctlmnb;
+-	msq->q_lspid = msq->q_lrpid = 0;
+-	INIT_LIST_HEAD(&msq->q_messages);
+-	INIT_LIST_HEAD(&msq->q_receivers);
+-	INIT_LIST_HEAD(&msq->q_senders);
+-
+ 	msg_unlock(msq);
+ 
+ 	return msq->q_perm.id;
+--- a/ipc/shm.c
++++ b/ipc/shm.c
+@@ -386,12 +386,6 @@ static int newseg(struct ipc_namespace *
+ 	if (IS_ERR(file))
+ 		goto no_file;
+ 
+-	id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni);
+-	if (id < 0) {
+-		error = id;
+-		goto no_id;
+-	}
+-
+ 	shp->shm_cprid = task_tgid_vnr(current);
+ 	shp->shm_lprid = 0;
+ 	shp->shm_atim = shp->shm_dtim = 0;
+@@ -399,6 +393,13 @@ static int newseg(struct ipc_namespace *
+ 	shp->shm_segsz = size;
+ 	shp->shm_nattch = 0;
+ 	shp->shm_file = file;
++
++	id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni);
++	if (id < 0) {
++		error = id;
++		goto no_id;
++	}
++
+ 	/*
+ 	 * shmid gets reported as "inode#" in /proc/pid/maps.
+ 	 * proc-ps tools use this. Changing this will break them.
+--- a/ipc/util.c
++++ b/ipc/util.c
+@@ -264,6 +264,10 @@ int ipc_addid(struct ipc_ids* ids, struc
+ 	rcu_read_lock();
+ 	spin_lock(&new->lock);
+ 
++	current_euid_egid(&euid, &egid);
++	new->cuid = new->uid = euid;
++	new->gid = new->cgid = egid;
++
+ 	err = idr_get_new(&ids->ipcs_idr, new, &id);
+ 	if (err) {
+ 		spin_unlock(&new->lock);
+@@ -273,10 +277,6 @@ int ipc_addid(struct ipc_ids* ids, struc
+ 
+ 	ids->in_use++;
+ 
+-	current_euid_egid(&euid, &egid);
+-	new->cuid = new->uid = euid;
+-	new->gid = new->cgid = egid;
+-
+ 	new->seq = ids->seq++;
+ 	if(ids->seq > ids->seq_max)
+ 		ids->seq = 0;
diff --git a/debian/patches/bugfix/all/ipc-sem.c-fully-initialize-sem_array-before-making-i.patch b/debian/patches/bugfix/all/ipc-sem.c-fully-initialize-sem_array-before-making-i.patch
new file mode 100644
index 0000000..c925150
--- /dev/null
+++ b/debian/patches/bugfix/all/ipc-sem.c-fully-initialize-sem_array-before-making-i.patch
@@ -0,0 +1,55 @@
+From: Manfred Spraul <manfred at colorfullife.com>
+Date: Tue, 2 Dec 2014 15:59:34 -0800
+Subject: ipc/sem.c: fully initialize sem_array before making it visible
+Origin: https://git.kernel.org/linus/e8577d1f0329d4842e8302e289fb2c22156abef4
+
+ipc_addid() makes a new ipc identifier visible to everyone.  New objects
+start as locked, so that the caller can complete the initialization
+after the call.  Within struct sem_array, at least sma->sem_base and
+sma->sem_nsems are accessed without any locks, therefore this approach
+doesn't work.
+
+Thus: Move the ipc_addid() to the end of the initialization.
+
+Signed-off-by: Manfred Spraul <manfred at colorfullife.com>
+Reported-by: Rik van Riel <riel at redhat.com>
+Acked-by: Rik van Riel <riel at redhat.com>
+Acked-by: Davidlohr Bueso <dave at stgolabs.net>
+Acked-by: Rafael Aquini <aquini at redhat.com>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+[bwh: Backported to 2.6.32:
+ - Adjust context
+ - The error path being moved looks a little different]
+---
+--- a/ipc/sem.c
++++ b/ipc/sem.c
+@@ -264,19 +264,20 @@ static int newary(struct ipc_namespace *
+ 		return retval;
+ 	}
+ 
+-	id = ipc_addid(&sem_ids(ns), &sma->sem_perm, ns->sc_semmni);
+-	if (id < 0) {
+-		security_sem_free(sma);
+-		ipc_rcu_putref(sma);
+-		return id;
+-	}
+-	ns->used_sems += nsems;
+-
+ 	sma->sem_base = (struct sem *) &sma[1];
+ 	INIT_LIST_HEAD(&sma->sem_pending);
+ 	INIT_LIST_HEAD(&sma->list_id);
+ 	sma->sem_nsems = nsems;
+ 	sma->sem_ctime = get_seconds();
++
++	id = ipc_addid(&sem_ids(ns), &sma->sem_perm, ns->sc_semmni);
++	if (id < 0) {
++		security_sem_free(sma);
++		ipc_rcu_putref(sma);
++		return id;
++	}
++	ns->used_sems += nsems;
++
+ 	sem_unlock(sma);
+ 
+ 	return sma->sem_perm.id;
diff --git a/debian/patches/series/48squeeze15 b/debian/patches/series/48squeeze15
index 0e8a2c5..e78a2c3 100644
--- a/debian/patches/series/48squeeze15
+++ b/debian/patches/series/48squeeze15
@@ -1 +1,4 @@
 + bugfix/all/usb-whiteheat-fix-potential-null-deref-at-probe.patch
++ bugfix/all/ipc-sem.c-fully-initialize-sem_array-before-making-i.patch
++ bugfix/all/Initialize-msg-shm-IPC-objects-before-doing-ipc_addi.patch
+

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list