af_netlink: force credentials passing [CVE-2012-3520]

af_netlink-credentials-cve-2012-3520.patch

@@ -0,0 +1,114 @@
+Subject: [PATCH] af_netlink: force credentials passing [CVE-2012-3520]
+From: Eric Dumazet <eric.dumazet@gmail.com>
+To: David Miller <davem@davemloft.net>
+Cc: netdev <netdev@vger.kernel.org>, Petr Matousek <pmatouse@redhat.com>,
+        Florian Weimer <fweimer@redhat.com>,
+        Pablo Neira Ayuso <pablo@netfilter.org>
+Content-Type: text/plain; charset="UTF-8"
+Date:	Tue, 21 Aug 2012 18:21:17 +0200
+Message-ID: <1345566077.5158.530.camel@edumazet-glaptop>
+Mime-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Sender: netdev-owner@vger.kernel.org
+Precedence: bulk
+List-ID: <netdev.vger.kernel.org>
+X-Mailing-List:	netdev@vger.kernel.org
+X-RedHat-Spam-Score: -6.999  (BAYES_00,DKIM_ADSP_CUSTOM_MED,DKIM_SIGNED,FREEMAIL_FROM,RCVD_IN_DNSWL_HI,RP_MATCHES_RCVD,T_DKIM_INVALID)
+X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22
+X-Scanned-By: MIMEDefang 2.68 on 10.5.110.16
+Status: RO
+Content-Length: 3042
+Lines: 91
+
+From: Eric Dumazet <edumazet@google.com>
+
+Pablo Neira Ayuso discovered that avahi and 
+potentially NetworkManager accept spoofed Netlink messages because of a 
+kernel bug.  The kernel passes all-zero SCM_CREDENTIALS ancillary data 
+to the receiver if the sender did not provide such data, instead of not 
+including any such data at all or including the correct data from the 
+peer (as it is the case with AF_UNIX).
+
+This bug was introduced in commit 16e572626961
+(af_unix: dont send SCM_CREDENTIALS by default)
+
+This patch forces passing credentials for netlink, as
+before the regression.
+
+Another fix would be to not add SCM_CREDENTIALS in
+netlink messages if not provided by the sender, but it
+might break some programs.
+
+With help from Florian Weimer & Petr Matousek
+
+This issue is designated as CVE-2012-3520
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Petr Matousek <pmatouse@redhat.com>
+Cc: Florian Weimer <fweimer@redhat.com>
+Cc: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ include/net/scm.h        |    4 +++-
+ net/netlink/af_netlink.c |    2 +-
+ net/unix/af_unix.c       |    4 ++--
+ 3 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/include/net/scm.h b/include/net/scm.h
+index 079d788..7dc0854 100644
+--- a/include/net/scm.h
++++ b/include/net/scm.h
+@@ -70,9 +70,11 @@ static __inline__ void scm_destroy(struct scm_cookie *scm)
+ }
+ 
+ static __inline__ int scm_send(struct socket *sock, struct msghdr *msg,
+-			       struct scm_cookie *scm)
++			       struct scm_cookie *scm, bool forcecreds)
+ {
+ 	memset(scm, 0, sizeof(*scm));
++	if (forcecreds)
++		scm_set_cred(scm, task_tgid(current), current_cred());
+ 	unix_get_peersec_dgram(sock, scm);
+ 	if (msg->msg_controllen <= 0)
+ 		return 0;
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index 5463969..1445d73 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -1362,7 +1362,7 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
+ 	if (NULL == siocb->scm)
+ 		siocb->scm = &scm;
+ 
+-	err = scm_send(sock, msg, siocb->scm);
++	err = scm_send(sock, msg, siocb->scm, true);
+ 	if (err < 0)
+ 		return err;
+ 
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index e4768c1..c5ee4ff 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -1450,7 +1450,7 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
+ 	if (NULL == siocb->scm)
+ 		siocb->scm = &tmp_scm;
+ 	wait_for_unix_gc();
+-	err = scm_send(sock, msg, siocb->scm);
++	err = scm_send(sock, msg, siocb->scm, false);
+ 	if (err < 0)
+ 		return err;
+ 
+@@ -1619,7 +1619,7 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
+ 	if (NULL == siocb->scm)
+ 		siocb->scm = &tmp_scm;
+ 	wait_for_unix_gc();
+-	err = scm_send(sock, msg, siocb->scm);
++	err = scm_send(sock, msg, siocb->scm, false);
+ 	if (err < 0)
+ 		return err;
+ 
+
+
+--
+To unsubscribe from this list: send the line "unsubscribe netdev" in
+the body of a message to majordomo@vger.kernel.org
+More majordomo info at  http://vger.kernel.org/majordomo-info.html
+

kernel.spec

@@ -54,7 +54,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 1
+%global baserelease 2
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -718,6 +718,11 @@ Patch22070: net-Allow-driver-to-limit-number-of-GSO-segments-per-skb.patch
 Patch22071: sfc-Fix-maximum-number-of-TSO-segments-and-minimum-TX-queue-size.patch
 Patch22072: tcp-Apply-device-TSO-segment-limit-earlier.patch
 
+Patch22075: af_netlink-credentials-cve-2012-3520.patch
+
+#Patches from the 3.4.10 stable queue
+Patch22100: linux-3.4.10-queue.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1341,6 +1346,11 @@ ApplyPatch net-Allow-driver-to-limit-number-of-GSO-segments-per-skb.patch
 ApplyPatch sfc-Fix-maximum-number-of-TSO-segments-and-minimum-TX-queue-size.patch
 ApplyPatch tcp-Apply-device-TSO-segment-limit-earlier.patch
 
+ApplyPatch af_netlink-credentials-cve-2012-3520.patch
+
+#Patches from the 3.4.10 stable queue
+ApplyPatch linux-3.4.10-queue.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2039,6 +2049,10 @@ fi
 # and build.
 
 %changelog
+* Thu Aug 23 2012 Justin M. Forbes <jforbes@redhat.com> 3.4.9-2
+- af_netlink: force credentials passing [CVE-2012-3520]
+- Add patches from 3.4.10 queue
+
 * Wed Aug 15 2012 Justin M. Forbes <jforbes@redhat.com> 3.4.9-1
 - Linux 3.4.9