Fix credentials leakage regression (#700637)

2011-05-03 09:09:02 -04:00 · 2011-05-03 09:09:02 -04:00 · 2c4c81ad30
parent b8c6e51855
commit 2c4c81ad30
3 changed files with 95 additions and 0 deletions
--- a/af_netlink-add-needed-scm_destroy-after-scm_send.patch
+++ b/af_netlink-add-needed-scm_destroy-after-scm_send.patch
@ -0,0 +1,57 @@
+From: Eric W. Biederman <ebiederm@xmission.com>
+Date: Sun, 13 Jun 2010 03:31:06 +0000 (+0000)
+Subject: af_netlink: Add needed scm_destroy after scm_send.
+X-Git-Tag: v2.6.36-rc1~571^2~552
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=b47030c71dfd6c8cd5cb6e551b6f7f7cfc96f6a6
+
+af_netlink: Add needed scm_destroy after scm_send.
+
+scm_send occasionally allocates state in the scm_cookie, so I have
+modified netlink_sendmsg to guarantee that when scm_send succeeds
+scm_destory will be called to free that state.
+
+Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
+Reviewed-by: Daniel Lezcano <daniel.lezcano@free.fr>
+Acked-by: Pavel Emelyanov <xemul@openvz.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index a2eb965..7aeaa83 100644
+--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
+@@ -1323,19 +1323,23 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
+ 	if (msg->msg_flags&MSG_OOB)
+ 		return -EOPNOTSUPP;
+ 
+-	if (NULL == siocb->scm)
+	if (NULL == siocb->scm) {
+ 		siocb->scm = &scm;
+		memset(&scm, 0, sizeof(scm));
+	}
+ 	err = scm_send(sock, msg, siocb->scm);
+ 	if (err < 0)
+ 		return err;
+ 
+ 	if (msg->msg_namelen) {
+		err = -EINVAL;
+ 		if (addr->nl_family != AF_NETLINK)
+-			return -EINVAL;
+			goto out;
+ 		dst_pid = addr->nl_pid;
+ 		dst_group = ffs(addr->nl_groups);
+		err =  -EPERM;
+ 		if (dst_group && !netlink_capable(sock, NL_NONROOT_SEND))
+-			return -EPERM;
+			goto out;
+ 	} else {
+ 		dst_pid = nlk->dst_pid;
+ 		dst_group = nlk->dst_group;
+@@ -1387,6 +1391,7 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
+ 	err = netlink_unicast(sk, skb, dst_pid, msg->msg_flags&MSG_DONTWAIT);
+ 
+ out:
+	scm_destroy(siocb->scm);
+ 	return err;
+ }
+ 
--- a/kernel.spec
+++ b/kernel.spec
@ -839,6 +839,10 @@ Patch13958: agp-fix-oom-and-buffer-overflow.patch
 # CVE-2011-1494, CVE-2011-1495
 Patch13960: scsi-mpt2sas-prevent-heap-overflows-and-unchecked-reads.patch

+# fix credentials leakage regression (#700637)
+Patch13961: revert-incomplete-af_netlink-add-needed-scm-destroy-after-scm-send.patch
+Patch13962: af_netlink-add-needed-scm_destroy-after-scm_send.patch
+
 %endif

 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@ -1577,6 +1581,10 @@ ApplyPatch agp-fix-oom-and-buffer-overflow.patch
 # CVE-2011-1494, CVE-2011-1495
 ApplyPatch scsi-mpt2sas-prevent-heap-overflows-and-unchecked-reads.patch

+# fix credentials leakage regression (#700637)
+ApplyPatch revert-incomplete-af_netlink-add-needed-scm-destroy-after-scm-send.patch
+ApplyPatch af_netlink-add-needed-scm_destroy-after-scm_send.patch
+
 # END OF PATCH APPLICATIONS

 %endif
@ -2168,6 +2176,7 @@ fi
  (CVE-2011-1494, CVE-2011-1495)
 - agp: fix arbitrary kernel memory writes (CVE-2011-1745)
 - agp: fix OOM and buffer overflow (CVE-2011-1746)
+- Fix credentials leakage regression (#700637)

 * Thu Apr 29 2011 Chuck Ebbert <cebbert@redhat.com>
 - Linux 2.6.35.13
--- a/revert-incomplete-af_netlink-add-needed-scm-destroy-after-scm-send.patch
+++ b/revert-incomplete-af_netlink-add-needed-scm-destroy-after-scm-send.patch
@ -0,0 +1,29 @@
+2.6.35.11 added two patches:
+  af_netlink-add-needed-scm_destroy-after-scm_send
+  fix-cred-leak-in-af_netlink
+
+The first one was supposedly a backport of upstream commit
+b47030c71dfd6c8cd5cb6e551b6f7f7cfc96f6a6, but it was incomplete and the
+rest of that commit was in the second patch. I asked for the second
+patch to be reverted in 2.6.35.12, thinking it was a duplicate fix for
+the credentials leakage, and that caused the leak to return. This patch
+reverts the first of those two patches so we can apply the complete
+upstream patch.
+
+Signed-off-by: Chuck Ebbert <cebbert@redhat.com>
+
+--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
+@@ -1323,11 +1323,8 @@
+ 	if (msg->msg_flags&MSG_OOB)
+ 		return -EOPNOTSUPP;
+ 
+	if (NULL == siocb->scm)
+-	if (NULL == siocb->scm) {
+ 		siocb->scm = &scm;
+-		memset(&scm, 0, sizeof(scm));
+-	}
+-
+ 	err = scm_send(sock, msg, siocb->scm);
+ 	if (err < 0)
+ 		return err;