af_netlink: force credentials passing [CVE-2012-3520]
This commit is contained in:
parent
90780aef64
commit
04489966aa
|
@ -0,0 +1,114 @@
|
|||
Subject: [PATCH] af_netlink: force credentials passing [CVE-2012-3520]
|
||||
From: Eric Dumazet <eric.dumazet@gmail.com>
|
||||
To: David Miller <davem@davemloft.net>
|
||||
Cc: netdev <netdev@vger.kernel.org>, Petr Matousek <pmatouse@redhat.com>,
|
||||
Florian Weimer <fweimer@redhat.com>,
|
||||
Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
Content-Type: text/plain; charset="UTF-8"
|
||||
Date: Tue, 21 Aug 2012 18:21:17 +0200
|
||||
Message-ID: <1345566077.5158.530.camel@edumazet-glaptop>
|
||||
Mime-Version: 1.0
|
||||
Content-Transfer-Encoding: 7bit
|
||||
Sender: netdev-owner@vger.kernel.org
|
||||
Precedence: bulk
|
||||
List-ID: <netdev.vger.kernel.org>
|
||||
X-Mailing-List: netdev@vger.kernel.org
|
||||
X-RedHat-Spam-Score: -6.999 (BAYES_00,DKIM_ADSP_CUSTOM_MED,DKIM_SIGNED,FREEMAIL_FROM,RCVD_IN_DNSWL_HI,RP_MATCHES_RCVD,T_DKIM_INVALID)
|
||||
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22
|
||||
X-Scanned-By: MIMEDefang 2.68 on 10.5.110.16
|
||||
Status: RO
|
||||
Content-Length: 3042
|
||||
Lines: 91
|
||||
|
||||
From: Eric Dumazet <edumazet@google.com>
|
||||
|
||||
Pablo Neira Ayuso discovered that avahi and
|
||||
potentially NetworkManager accept spoofed Netlink messages because of a
|
||||
kernel bug. The kernel passes all-zero SCM_CREDENTIALS ancillary data
|
||||
to the receiver if the sender did not provide such data, instead of not
|
||||
including any such data at all or including the correct data from the
|
||||
peer (as it is the case with AF_UNIX).
|
||||
|
||||
This bug was introduced in commit 16e572626961
|
||||
(af_unix: dont send SCM_CREDENTIALS by default)
|
||||
|
||||
This patch forces passing credentials for netlink, as
|
||||
before the regression.
|
||||
|
||||
Another fix would be to not add SCM_CREDENTIALS in
|
||||
netlink messages if not provided by the sender, but it
|
||||
might break some programs.
|
||||
|
||||
With help from Florian Weimer & Petr Matousek
|
||||
|
||||
This issue is designated as CVE-2012-3520
|
||||
|
||||
Signed-off-by: Eric Dumazet <edumazet@google.com>
|
||||
Cc: Petr Matousek <pmatouse@redhat.com>
|
||||
Cc: Florian Weimer <fweimer@redhat.com>
|
||||
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
---
|
||||
include/net/scm.h | 4 +++-
|
||||
net/netlink/af_netlink.c | 2 +-
|
||||
net/unix/af_unix.c | 4 ++--
|
||||
3 files changed, 6 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/include/net/scm.h b/include/net/scm.h
|
||||
index 079d788..7dc0854 100644
|
||||
--- a/include/net/scm.h
|
||||
+++ b/include/net/scm.h
|
||||
@@ -70,9 +70,11 @@ static __inline__ void scm_destroy(struct scm_cookie *scm)
|
||||
}
|
||||
|
||||
static __inline__ int scm_send(struct socket *sock, struct msghdr *msg,
|
||||
- struct scm_cookie *scm)
|
||||
+ struct scm_cookie *scm, bool forcecreds)
|
||||
{
|
||||
memset(scm, 0, sizeof(*scm));
|
||||
+ if (forcecreds)
|
||||
+ scm_set_cred(scm, task_tgid(current), current_cred());
|
||||
unix_get_peersec_dgram(sock, scm);
|
||||
if (msg->msg_controllen <= 0)
|
||||
return 0;
|
||||
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
|
||||
index 5463969..1445d73 100644
|
||||
--- a/net/netlink/af_netlink.c
|
||||
+++ b/net/netlink/af_netlink.c
|
||||
@@ -1362,7 +1362,7 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
|
||||
if (NULL == siocb->scm)
|
||||
siocb->scm = &scm;
|
||||
|
||||
- err = scm_send(sock, msg, siocb->scm);
|
||||
+ err = scm_send(sock, msg, siocb->scm, true);
|
||||
if (err < 0)
|
||||
return err;
|
||||
|
||||
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
|
||||
index e4768c1..c5ee4ff 100644
|
||||
--- a/net/unix/af_unix.c
|
||||
+++ b/net/unix/af_unix.c
|
||||
@@ -1450,7 +1450,7 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
|
||||
if (NULL == siocb->scm)
|
||||
siocb->scm = &tmp_scm;
|
||||
wait_for_unix_gc();
|
||||
- err = scm_send(sock, msg, siocb->scm);
|
||||
+ err = scm_send(sock, msg, siocb->scm, false);
|
||||
if (err < 0)
|
||||
return err;
|
||||
|
||||
@@ -1619,7 +1619,7 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
|
||||
if (NULL == siocb->scm)
|
||||
siocb->scm = &tmp_scm;
|
||||
wait_for_unix_gc();
|
||||
- err = scm_send(sock, msg, siocb->scm);
|
||||
+ err = scm_send(sock, msg, siocb->scm, false);
|
||||
if (err < 0)
|
||||
return err;
|
||||
|
||||
|
||||
|
||||
--
|
||||
To unsubscribe from this list: send the line "unsubscribe netdev" in
|
||||
the body of a message to majordomo@vger.kernel.org
|
||||
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
||||
|
15
kernel.spec
15
kernel.spec
|
@ -54,7 +54,7 @@ Summary: The Linux kernel
|
|||
# For non-released -rc kernels, this will be appended after the rcX and
|
||||
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
||||
#
|
||||
%global baserelease 2
|
||||
%global baserelease 3
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# base_sublevel is the kernel version we're starting with and patching
|
||||
|
@ -646,10 +646,6 @@ Patch101: taint-rss.patch
|
|||
|
||||
Patch110: vmbugon-warnon.patch
|
||||
|
||||
Patch160: linux-2.6-32bit-mmap-exec-randomization.patch
|
||||
Patch161: linux-2.6-i386-nx-emulation.patch
|
||||
Patch162: nx-emu-remove-cpuinitdata-for-disable_nx-on-x86_32.patch
|
||||
|
||||
Patch390: linux-2.6-defaults-acpi-video.patch
|
||||
Patch391: linux-2.6-acpi-video-dos.patch
|
||||
Patch394: linux-2.6-acpi-debug-infinite-loop.patch
|
||||
|
@ -768,6 +764,8 @@ Patch22072: tcp-Apply-device-TSO-segment-limit-earlier.patch
|
|||
|
||||
Patch23000: fbcon-fix-race-condition-between-console-lock-and-cursor-timer.patch
|
||||
|
||||
Patch24000: af_netlink-credentials-cve-2012-3520.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -1473,6 +1471,8 @@ ApplyPatch tcp-Apply-device-TSO-segment-limit-earlier.patch
|
|||
|
||||
ApplyPatch fbcon-fix-race-condition-between-console-lock-and-cursor-timer.patch
|
||||
|
||||
ApplyPatch af_netlink-credentials-cve-2012-3520.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
@ -2334,7 +2334,10 @@ fi
|
|||
# '-' | |
|
||||
# '-'
|
||||
%changelog
|
||||
* Tue Aug 21 2012 Dave Jones <davej@redhat.com>
|
||||
* Tue Aug 21 2012 Dave Jones <davej@redhat.com> 3.5.2-3
|
||||
- af_netlink: force credentials passing [CVE-2012-3520]
|
||||
|
||||
* Tue Aug 21 2012 Dave Jones <davej@redhat.com> 3.5.2-2
|
||||
- Add patch from Dave Airlie to fix fb cursor vs grub2 gfxterm hang
|
||||
|
||||
* Mon Aug 20 2012 Dave Jones <davej@redhat.com>
|
||||
|
|
Loading…
Reference in New Issue