CVE-2015-7613 Unauthorized access to IPC via SysV shm (rhbz 1268270 1268273)
This commit is contained in:
parent
a95bfb8427
commit
5e3798ffdb
|
@ -0,0 +1,117 @@
|
||||||
|
From b9a532277938798b53178d5a66af6e2915cb27cf Mon Sep 17 00:00:00 2001
|
||||||
|
From: Linus Torvalds <torvalds@linux-foundation.org>
|
||||||
|
Date: Wed, 30 Sep 2015 12:48:40 -0400
|
||||||
|
Subject: [PATCH] Initialize msg/shm IPC objects before doing ipc_addid()
|
||||||
|
|
||||||
|
As reported by Dmitry Vyukov, we really shouldn't do ipc_addid() before
|
||||||
|
having initialized the IPC object state. Yes, we initialize the IPC
|
||||||
|
object in a locked state, but with all the lockless RCU lookup work,
|
||||||
|
that IPC object lock no longer means that the state cannot be seen.
|
||||||
|
|
||||||
|
We already did this for the IPC semaphore code (see commit e8577d1f0329:
|
||||||
|
"ipc/sem.c: fully initialize sem_array before making it visible") but we
|
||||||
|
clearly forgot about msg and shm.
|
||||||
|
|
||||||
|
Reported-by: Dmitry Vyukov <dvyukov@google.com>
|
||||||
|
Cc: Manfred Spraul <manfred@colorfullife.com>
|
||||||
|
Cc: Davidlohr Bueso <dbueso@suse.de>
|
||||||
|
Cc: stable@vger.kernel.org
|
||||||
|
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||||
|
---
|
||||||
|
ipc/msg.c | 14 +++++++-------
|
||||||
|
ipc/shm.c | 13 +++++++------
|
||||||
|
ipc/util.c | 8 ++++----
|
||||||
|
3 files changed, 18 insertions(+), 17 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ipc/msg.c b/ipc/msg.c
|
||||||
|
index 66c4f567eb73..1471db9a7e61 100644
|
||||||
|
--- a/ipc/msg.c
|
||||||
|
+++ b/ipc/msg.c
|
||||||
|
@@ -137,13 +137,6 @@ static int newque(struct ipc_namespace *ns, struct ipc_params *params)
|
||||||
|
return retval;
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* ipc_addid() locks msq upon success. */
|
||||||
|
- id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni);
|
||||||
|
- if (id < 0) {
|
||||||
|
- ipc_rcu_putref(msq, msg_rcu_free);
|
||||||
|
- return id;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
msq->q_stime = msq->q_rtime = 0;
|
||||||
|
msq->q_ctime = get_seconds();
|
||||||
|
msq->q_cbytes = msq->q_qnum = 0;
|
||||||
|
@@ -153,6 +146,13 @@ static int newque(struct ipc_namespace *ns, struct ipc_params *params)
|
||||||
|
INIT_LIST_HEAD(&msq->q_receivers);
|
||||||
|
INIT_LIST_HEAD(&msq->q_senders);
|
||||||
|
|
||||||
|
+ /* ipc_addid() locks msq upon success. */
|
||||||
|
+ id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni);
|
||||||
|
+ if (id < 0) {
|
||||||
|
+ ipc_rcu_putref(msq, msg_rcu_free);
|
||||||
|
+ return id;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
ipc_unlock_object(&msq->q_perm);
|
||||||
|
rcu_read_unlock();
|
||||||
|
|
||||||
|
diff --git a/ipc/shm.c b/ipc/shm.c
|
||||||
|
index 222131e8e38f..41787276e141 100644
|
||||||
|
--- a/ipc/shm.c
|
||||||
|
+++ b/ipc/shm.c
|
||||||
|
@@ -551,12 +551,6 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
|
||||||
|
if (IS_ERR(file))
|
||||||
|
goto no_file;
|
||||||
|
|
||||||
|
- id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni);
|
||||||
|
- if (id < 0) {
|
||||||
|
- error = id;
|
||||||
|
- goto no_id;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
shp->shm_cprid = task_tgid_vnr(current);
|
||||||
|
shp->shm_lprid = 0;
|
||||||
|
shp->shm_atim = shp->shm_dtim = 0;
|
||||||
|
@@ -565,6 +559,13 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
|
||||||
|
shp->shm_nattch = 0;
|
||||||
|
shp->shm_file = file;
|
||||||
|
shp->shm_creator = current;
|
||||||
|
+
|
||||||
|
+ id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni);
|
||||||
|
+ if (id < 0) {
|
||||||
|
+ error = id;
|
||||||
|
+ goto no_id;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
list_add(&shp->shm_clist, ¤t->sysvshm.shm_clist);
|
||||||
|
|
||||||
|
/*
|
||||||
|
diff --git a/ipc/util.c b/ipc/util.c
|
||||||
|
index be4230020a1f..0f401d94b7c6 100644
|
||||||
|
--- a/ipc/util.c
|
||||||
|
+++ b/ipc/util.c
|
||||||
|
@@ -237,6 +237,10 @@ int ipc_addid(struct ipc_ids *ids, struct kern_ipc_perm *new, int size)
|
||||||
|
rcu_read_lock();
|
||||||
|
spin_lock(&new->lock);
|
||||||
|
|
||||||
|
+ current_euid_egid(&euid, &egid);
|
||||||
|
+ new->cuid = new->uid = euid;
|
||||||
|
+ new->gid = new->cgid = egid;
|
||||||
|
+
|
||||||
|
id = idr_alloc(&ids->ipcs_idr, new,
|
||||||
|
(next_id < 0) ? 0 : ipcid_to_idx(next_id), 0,
|
||||||
|
GFP_NOWAIT);
|
||||||
|
@@ -249,10 +253,6 @@ int ipc_addid(struct ipc_ids *ids, struct kern_ipc_perm *new, int size)
|
||||||
|
|
||||||
|
ids->in_use++;
|
||||||
|
|
||||||
|
- current_euid_egid(&euid, &egid);
|
||||||
|
- new->cuid = new->uid = euid;
|
||||||
|
- new->gid = new->cgid = egid;
|
||||||
|
-
|
||||||
|
if (next_id < 0) {
|
||||||
|
new->seq = ids->seq++;
|
||||||
|
if (ids->seq > IPCID_SEQ_MAX)
|
||||||
|
--
|
||||||
|
2.4.3
|
||||||
|
|
|
@ -633,6 +633,9 @@ Patch527: USB-whiteheat-fix-potential-null-deref-at-probe.patch
|
||||||
Patch528: dcache-Handle-escaped-paths-in-prepend_path.patch
|
Patch528: dcache-Handle-escaped-paths-in-prepend_path.patch
|
||||||
Patch529: vfs-Test-for-and-handle-paths-that-are-unreachable-f.patch
|
Patch529: vfs-Test-for-and-handle-paths-that-are-unreachable-f.patch
|
||||||
|
|
||||||
|
#CVE-2015-7613 rhbz 1268270 1268273
|
||||||
|
Patch532: Initialize-msg-shm-IPC-objects-before-doing-ipc_addi.patch
|
||||||
|
|
||||||
# END OF PATCH DEFINITIONS
|
# END OF PATCH DEFINITIONS
|
||||||
|
|
||||||
%endif
|
%endif
|
||||||
|
@ -1385,6 +1388,9 @@ ApplyPatch regulator-axp20x-module-alias.patch
|
||||||
ApplyPatch dcache-Handle-escaped-paths-in-prepend_path.patch
|
ApplyPatch dcache-Handle-escaped-paths-in-prepend_path.patch
|
||||||
ApplyPatch vfs-Test-for-and-handle-paths-that-are-unreachable-f.patch
|
ApplyPatch vfs-Test-for-and-handle-paths-that-are-unreachable-f.patch
|
||||||
|
|
||||||
|
#CVE-2015-7613 rhbz 1268270 1268273
|
||||||
|
ApplyPatch Initialize-msg-shm-IPC-objects-before-doing-ipc_addi.patch
|
||||||
|
|
||||||
# END OF PATCH APPLICATIONS
|
# END OF PATCH APPLICATIONS
|
||||||
|
|
||||||
%endif
|
%endif
|
||||||
|
@ -2235,6 +2241,9 @@ fi
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Oct 02 2015 Josh Boyer <jwboyer@fedoraproject.org>
|
||||||
|
- CVE-2015-7613 Unauthorized access to IPC via SysV shm (rhbz 1268270 1268273)
|
||||||
|
|
||||||
* Thu Oct 01 2015 Josh Boyer <jwboyer@fedoraproject.org>
|
* Thu Oct 01 2015 Josh Boyer <jwboyer@fedoraproject.org>
|
||||||
- CVE-2015-2925 Don't allow bind mount escape (rhbz 1209367 1209373)
|
- CVE-2015-2925 Don't allow bind mount escape (rhbz 1209367 1209373)
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue