[linux] 02/07: ipc/shm: Fix shmat mmap nil-page protection (CVE-2017-5669)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Tue Mar 7 02:36:44 UTC 2017 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch wheezy-security
in repository linux.

commit 611c334c3371b2070fc115296b46d0d4f8d648fb
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Tue Mar 7 02:11:44 2017 +0000

    ipc/shm: Fix shmat mmap nil-page protection (CVE-2017-5669)
---
 debian/changelog                                   |  3 ++
 ...pc-shm-fix-shmat-mmap-nil-page-protection.patch | 58 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 62 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index bd8d8fa..d958796 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -76,6 +76,9 @@ linux (3.2.86-1) UNRELEASED; urgency=medium
       (CVE-2016-9588)
     - tcp: avoid infinite loop in tcp_splice_read() (CVE-2017-6214)
 
+  [ Ben Hutchings ]
+  * ipc/shm: Fix shmat mmap nil-page protection (CVE-2017-5669)
+
  -- Ben Hutchings <ben at decadent.org.uk>  Tue, 07 Mar 2017 01:47:48 +0000
 
 linux (3.2.84-2) wheezy-security; urgency=high
diff --git a/debian/patches/bugfix/all/ipc-shm-fix-shmat-mmap-nil-page-protection.patch b/debian/patches/bugfix/all/ipc-shm-fix-shmat-mmap-nil-page-protection.patch
new file mode 100644
index 0000000..ea7b9ed
--- /dev/null
+++ b/debian/patches/bugfix/all/ipc-shm-fix-shmat-mmap-nil-page-protection.patch
@@ -0,0 +1,58 @@
+From: Davidlohr Bueso <dave at stgolabs.net>
+Date: Mon, 27 Feb 2017 14:28:24 -0800
+Subject: ipc/shm: Fix shmat mmap nil-page protection
+Origin: https://git.kernel.org/linus/95e91b831f87ac8e1f8ed50c14d709089b4e01b8
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5669
+
+The issue is described here, with a nice testcase:
+
+    https://bugzilla.kernel.org/show_bug.cgi?id=192931
+
+The problem is that shmat() calls do_mmap_pgoff() with MAP_FIXED, and
+the address rounded down to 0.  For the regular mmap case, the
+protection mentioned above is that the kernel gets to generate the
+address -- arch_get_unmapped_area() will always check for MAP_FIXED and
+return that address.  So by the time we do security_mmap_addr(0) things
+get funky for shmat().
+
+The testcase itself shows that while a regular user crashes, root will
+not have a problem attaching a nil-page.  There are two possible fixes
+to this.  The first, and which this patch does, is to simply allow root
+to crash as well -- this is also regular mmap behavior, ie when hacking
+up the testcase and adding mmap(...  |MAP_FIXED).  While this approach
+is the safer option, the second alternative is to ignore SHM_RND if the
+rounded address is 0, thus only having MAP_SHARED flags.  This makes the
+behavior of shmat() identical to the mmap() case.  The downside of this
+is obviously user visible, but does make sense in that it maintains
+semantics after the round-down wrt 0 address and mmap.
+
+Passes shm related ltp tests.
+
+Link: http://lkml.kernel.org/r/1486050195-18629-1-git-send-email-dave@stgolabs.net
+Signed-off-by: Davidlohr Bueso <dbueso at suse.de>
+Reported-by: Gareth Evans <gareth.evans at contextis.co.uk>
+Cc: Manfred Spraul <manfred at colorfullife.com>
+Cc: Michael Kerrisk <mtk.manpages at googlemail.com>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+[bwh: Backported to 3.2: use SHMLBA constant instead of shmlba parameter]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+--- a/ipc/shm.c
++++ b/ipc/shm.c
+@@ -963,8 +963,13 @@ long do_shmat(int shmid, char __user *sh
+ 		goto out;
+ 	else if ((addr = (ulong)shmaddr)) {
+ 		if (addr & (SHMLBA-1)) {
+-			if (shmflg & SHM_RND)
+-				addr &= ~(SHMLBA-1);	   /* round down */
++			/*
++			 * Round down to the nearest multiple of shmlba.
++			 * For sane do_mmap_pgoff() parameters, avoid
++			 * round downs that trigger nil-page and MAP_FIXED.
++			 */
++			if ((shmflg & SHM_RND) && addr >= SHMLBA)
++				addr &= ~(SHMLBA - 1);
+ 			else
+ #ifndef __ARCH_FORCE_SHMLBA
+ 				if (addr & ~PAGE_MASK)
diff --git a/debian/patches/series b/debian/patches/series
index aad22d2..f74465e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1106,6 +1106,7 @@ features/all/hpsa/0011-hpsa-add-in-P840ar-controller-model-name.patch
 bugfix/all/netfilter-ipset-Check-and-reject-crazy-0-input-param.patch
 bugfix/all/KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch
 bugfix/all/ecryptfs-fix-handling-of-directory-opening.patch
+bugfix/all/ipc-shm-fix-shmat-mmap-nil-page-protection.patch
 
 # ABI maintenance
 debian/perf-hide-abi-change-in-3.2.30.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list