[linux] 01/01: ipc/shm: Fix shmat mmap nil-page protection (CVE-2017-5669)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Tue Mar 7 16:15:34 UTC 2017 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch jessie-security
in repository linux.

commit 6e439ff8edc49fa10dbcafb2259bcae1b5d78f6f
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Tue Mar 7 17:10:02 2017 +0100

    ipc/shm: Fix shmat mmap nil-page protection (CVE-2017-5669)
---
 debian/changelog                                   |  6 ++
 ...pc-shm-Fix-shmat-mmap-nil-page-protection.patch | 76 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 83 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index af26780..fa82d46 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+linux (3.16.39-1+deb8u2) UNRELEASED; urgency=medium
+
+  * ipc/shm: Fix shmat mmap nil-page protection (CVE-2017-5669)
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Tue, 07 Mar 2017 17:10:30 +0100
+
 linux (3.16.39-1+deb8u1) jessie-security; urgency=high
 
   [ Salvatore Bonaccorso ]
diff --git a/debian/patches/bugfix/all/ipc-shm-Fix-shmat-mmap-nil-page-protection.patch b/debian/patches/bugfix/all/ipc-shm-Fix-shmat-mmap-nil-page-protection.patch
new file mode 100644
index 0000000..e688e74
--- /dev/null
+++ b/debian/patches/bugfix/all/ipc-shm-Fix-shmat-mmap-nil-page-protection.patch
@@ -0,0 +1,76 @@
+From: Davidlohr Bueso <dave at stgolabs.net>
+Date: Mon, 27 Feb 2017 14:28:24 -0800
+Subject: ipc/shm: Fix shmat mmap nil-page protection
+Origin: https://git.kernel.org/linus/95e91b831f87ac8e1f8ed50c14d709089b4e01b8
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5669
+
+The issue is described here, with a nice testcase:
+
+    https://bugzilla.kernel.org/show_bug.cgi?id=192931
+
+The problem is that shmat() calls do_mmap_pgoff() with MAP_FIXED, and
+the address rounded down to 0.  For the regular mmap case, the
+protection mentioned above is that the kernel gets to generate the
+address -- arch_get_unmapped_area() will always check for MAP_FIXED and
+return that address.  So by the time we do security_mmap_addr(0) things
+get funky for shmat().
+
+The testcase itself shows that while a regular user crashes, root will
+not have a problem attaching a nil-page.  There are two possible fixes
+to this.  The first, and which this patch does, is to simply allow root
+to crash as well -- this is also regular mmap behavior, ie when hacking
+up the testcase and adding mmap(...  |MAP_FIXED).  While this approach
+is the safer option, the second alternative is to ignore SHM_RND if the
+rounded address is 0, thus only having MAP_SHARED flags.  This makes the
+behavior of shmat() identical to the mmap() case.  The downside of this
+is obviously user visible, but does make sense in that it maintains
+semantics after the round-down wrt 0 address and mmap.
+
+Passes shm related ltp tests.
+
+Link: http://lkml.kernel.org/r/1486050195-18629-1-git-send-email-dave@stgolabs.net
+Signed-off-by: Davidlohr Bueso <dbueso at suse.de>
+Reported-by: Gareth Evans <gareth.evans at contextis.co.uk>
+Cc: Manfred Spraul <manfred at colorfullife.com>
+Cc: Michael Kerrisk <mtk.manpages at googlemail.com>
+Cc: <stable at vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ ipc/shm.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/ipc/shm.c b/ipc/shm.c
+index d7805ac..06ea9ef 100644
+--- a/ipc/shm.c
++++ b/ipc/shm.c
+@@ -1091,8 +1091,8 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf)
+  * "raddr" thing points to kernel space, and there has to be a wrapper around
+  * this.
+  */
+-long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
+-	      unsigned long shmlba)
++long do_shmat(int shmid, char __user *shmaddr, int shmflg,
++	      ulong *raddr, unsigned long shmlba)
+ {
+ 	struct shmid_kernel *shp;
+ 	unsigned long addr;
+@@ -1113,8 +1113,13 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
+ 		goto out;
+ 	else if ((addr = (ulong)shmaddr)) {
+ 		if (addr & (shmlba - 1)) {
+-			if (shmflg & SHM_RND)
+-				addr &= ~(shmlba - 1);	   /* round down */
++			/*
++			 * Round down to the nearest multiple of shmlba.
++			 * For sane do_mmap_pgoff() parameters, avoid
++			 * round downs that trigger nil-page and MAP_FIXED.
++			 */
++			if ((shmflg & SHM_RND) && addr >= shmlba)
++				addr &= ~(shmlba - 1);
+ 			else
+ #ifndef __ARCH_FORCE_SHMLBA
+ 				if (addr & ~PAGE_MASK)
+-- 
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 08106a9..ccac829 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -693,6 +693,7 @@ bugfix/all/tmpfs-clear-s_isgid-when-setting-posix-acls.patch
 bugfix/all/ip6_gre-fix-ip6gre_err-invalid-reads.patch
 bugfix/x86/kvm-fix-page-struct-leak-in-handle_vmon.patch
 bugfix/all/ipv4-keep-skb-dst-around-in-presence-of-ip-options.patch
+bugfix/all/ipc-shm-Fix-shmat-mmap-nil-page-protection.patch
 
 # Fix ABI changes
 debian/of-fix-abi-changes.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list