[linux] 01/01: nfsd: auth: Fix gid sorting when rootsquash enabled (CVE-2018-1000028)

Sun Jan 28 20:19:56 UTC 2018

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch stretch
in repository linux.

commit a3ebb3ffecf94d1f53067aeb883c555e1e7d32b3
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Sun Jan 28 21:14:45 2018 +0100

    nfsd: auth: Fix gid sorting when rootsquash enabled (CVE-2018-1000028)
---
 debian/changelog                                   |  3 ++
 ...h-Fix-gid-sorting-when-rootsquash-enabled.patch | 46 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 50 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 3ecb394..42db8f1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -832,6 +832,9 @@ linux (4.9.78-1) UNRELEASED; urgency=medium
     - refresh for fuzz (228)
   * Revert "module: Add retpoline tag to VERMAGIC".
 
+  [ Salvatore Bonaccorso ]
+  * nfsd: auth: Fix gid sorting when rootsquash enabled (CVE-2018-1000028)
+
  -- Ben Hutchings <ben at decadent.org.uk>  Thu, 28 Dec 2017 02:16:23 +0000
 
 linux (4.9.65-3+deb9u2) stretch-security; urgency=high
diff --git a/debian/patches/bugfix/all/nfsd-auth-Fix-gid-sorting-when-rootsquash-enabled.patch b/debian/patches/bugfix/all/nfsd-auth-Fix-gid-sorting-when-rootsquash-enabled.patch
new file mode 100644
index 0000000..c2e3cc8
--- /dev/null
+++ b/debian/patches/bugfix/all/nfsd-auth-Fix-gid-sorting-when-rootsquash-enabled.patch
@@ -0,0 +1,46 @@
+From: Ben Hutchings <ben.hutchings at codethink.co.uk>
+Date: Mon, 22 Jan 2018 20:11:06 +0000
+Subject: nfsd: auth: Fix gid sorting when rootsquash enabled
+Origin: https://git.kernel.org/linus/1995266727fa8143897e89b55f5d3c79aa828420
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-1000028
+
+Commit bdcf0a423ea1 ("kernel: make groups_sort calling a responsibility
+group_info allocators") appears to break nfsd rootsquash in a pretty
+major way.
+
+It adds a call to groups_sort() inside the loop that copies/squashes
+gids, which means the valid gids are sorted along with the following
+garbage.  The net result is that the highest numbered valid gids are
+replaced with any lower-valued garbage gids, possibly including 0.
+
+We should sort only once, after filling in all the gids.
+
+Fixes: bdcf0a423ea1 ("kernel: make groups_sort calling a responsibility ...")
+Signed-off-by: Ben Hutchings <ben.hutchings at codethink.co.uk>
+Acked-by: J. Bruce Fields <bfields at redhat.com>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ fs/nfsd/auth.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/fs/nfsd/auth.c b/fs/nfsd/auth.c
+index f650e475d8f0..fdf2aad73470 100644
+--- a/fs/nfsd/auth.c
++++ b/fs/nfsd/auth.c
+@@ -60,10 +60,10 @@ int nfsd_setuser(struct svc_rqst *rqstp, struct svc_export *exp)
+ 				gi->gid[i] = exp->ex_anon_gid;
+ 			else
+ 				gi->gid[i] = rqgi->gid[i];
+-
+-			/* Each thread allocates its own gi, no race */
+-			groups_sort(gi);
+ 		}
++
++		/* Each thread allocates its own gi, no race */
++		groups_sort(gi);
+ 	} else {
+ 		gi = get_group_info(rqgi);
+ 	}
+-- 
+2.11.0
+
diff --git a/debian/patches/series b/debian/patches/series
index e81b51c..065b9fe 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -141,6 +141,7 @@ bugfix/all/media-dvb-usb-v2-lmedm04-move-ts2020-attach-to-dm04_.patch
 bugfix/all/media-hdpvr-fix-an-error-handling-path-in-hdpvr_prob.patch
 bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch
 bugfix/all/netfilter-xt_osf-add-missing-permission-checks.patch
+bugfix/all/nfsd-auth-Fix-gid-sorting-when-rootsquash-enabled.patch
 
 # Fix exported symbol versions
 bugfix/ia64/revert-ia64-move-exports-to-definitions.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

