af_netlink: force credentials passing [CVE-2012-3520]
This commit is contained in:
parent
ecc0fbceb4
commit
e0bf103272
|
@ -0,0 +1,114 @@
|
|||
Subject: [PATCH] af_netlink: force credentials passing [CVE-2012-3520]
|
||||
From: Eric Dumazet <eric.dumazet@gmail.com>
|
||||
To: David Miller <davem@davemloft.net>
|
||||
Cc: netdev <netdev@vger.kernel.org>, Petr Matousek <pmatouse@redhat.com>,
|
||||
Florian Weimer <fweimer@redhat.com>,
|
||||
Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
Content-Type: text/plain; charset="UTF-8"
|
||||
Date: Tue, 21 Aug 2012 18:21:17 +0200
|
||||
Message-ID: <1345566077.5158.530.camel@edumazet-glaptop>
|
||||
Mime-Version: 1.0
|
||||
Content-Transfer-Encoding: 7bit
|
||||
Sender: netdev-owner@vger.kernel.org
|
||||
Precedence: bulk
|
||||
List-ID: <netdev.vger.kernel.org>
|
||||
X-Mailing-List: netdev@vger.kernel.org
|
||||
X-RedHat-Spam-Score: -6.999 (BAYES_00,DKIM_ADSP_CUSTOM_MED,DKIM_SIGNED,FREEMAIL_FROM,RCVD_IN_DNSWL_HI,RP_MATCHES_RCVD,T_DKIM_INVALID)
|
||||
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22
|
||||
X-Scanned-By: MIMEDefang 2.68 on 10.5.110.16
|
||||
Status: RO
|
||||
Content-Length: 3042
|
||||
Lines: 91
|
||||
|
||||
From: Eric Dumazet <edumazet@google.com>
|
||||
|
||||
Pablo Neira Ayuso discovered that avahi and
|
||||
potentially NetworkManager accept spoofed Netlink messages because of a
|
||||
kernel bug. The kernel passes all-zero SCM_CREDENTIALS ancillary data
|
||||
to the receiver if the sender did not provide such data, instead of not
|
||||
including any such data at all or including the correct data from the
|
||||
peer (as it is the case with AF_UNIX).
|
||||
|
||||
This bug was introduced in commit 16e572626961
|
||||
(af_unix: dont send SCM_CREDENTIALS by default)
|
||||
|
||||
This patch forces passing credentials for netlink, as
|
||||
before the regression.
|
||||
|
||||
Another fix would be to not add SCM_CREDENTIALS in
|
||||
netlink messages if not provided by the sender, but it
|
||||
might break some programs.
|
||||
|
||||
With help from Florian Weimer & Petr Matousek
|
||||
|
||||
This issue is designated as CVE-2012-3520
|
||||
|
||||
Signed-off-by: Eric Dumazet <edumazet@google.com>
|
||||
Cc: Petr Matousek <pmatouse@redhat.com>
|
||||
Cc: Florian Weimer <fweimer@redhat.com>
|
||||
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
---
|
||||
include/net/scm.h | 4 +++-
|
||||
net/netlink/af_netlink.c | 2 +-
|
||||
net/unix/af_unix.c | 4 ++--
|
||||
3 files changed, 6 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/include/net/scm.h b/include/net/scm.h
|
||||
index 079d788..7dc0854 100644
|
||||
--- a/include/net/scm.h
|
||||
+++ b/include/net/scm.h
|
||||
@@ -70,9 +70,11 @@ static __inline__ void scm_destroy(struct scm_cookie *scm)
|
||||
}
|
||||
|
||||
static __inline__ int scm_send(struct socket *sock, struct msghdr *msg,
|
||||
- struct scm_cookie *scm)
|
||||
+ struct scm_cookie *scm, bool forcecreds)
|
||||
{
|
||||
memset(scm, 0, sizeof(*scm));
|
||||
+ if (forcecreds)
|
||||
+ scm_set_cred(scm, task_tgid(current), current_cred());
|
||||
unix_get_peersec_dgram(sock, scm);
|
||||
if (msg->msg_controllen <= 0)
|
||||
return 0;
|
||||
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
|
||||
index 5463969..1445d73 100644
|
||||
--- a/net/netlink/af_netlink.c
|
||||
+++ b/net/netlink/af_netlink.c
|
||||
@@ -1362,7 +1362,7 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
|
||||
if (NULL == siocb->scm)
|
||||
siocb->scm = &scm;
|
||||
|
||||
- err = scm_send(sock, msg, siocb->scm);
|
||||
+ err = scm_send(sock, msg, siocb->scm, true);
|
||||
if (err < 0)
|
||||
return err;
|
||||
|
||||
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
|
||||
index e4768c1..c5ee4ff 100644
|
||||
--- a/net/unix/af_unix.c
|
||||
+++ b/net/unix/af_unix.c
|
||||
@@ -1450,7 +1450,7 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
|
||||
if (NULL == siocb->scm)
|
||||
siocb->scm = &tmp_scm;
|
||||
wait_for_unix_gc();
|
||||
- err = scm_send(sock, msg, siocb->scm);
|
||||
+ err = scm_send(sock, msg, siocb->scm, false);
|
||||
if (err < 0)
|
||||
return err;
|
||||
|
||||
@@ -1619,7 +1619,7 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
|
||||
if (NULL == siocb->scm)
|
||||
siocb->scm = &tmp_scm;
|
||||
wait_for_unix_gc();
|
||||
- err = scm_send(sock, msg, siocb->scm);
|
||||
+ err = scm_send(sock, msg, siocb->scm, false);
|
||||
if (err < 0)
|
||||
return err;
|
||||
|
||||
|
||||
|
||||
--
|
||||
To unsubscribe from this list: send the line "unsubscribe netdev" in
|
||||
the body of a message to majordomo@vger.kernel.org
|
||||
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
||||
|
16
kernel.spec
16
kernel.spec
|
@ -54,7 +54,7 @@ Summary: The Linux kernel
|
|||
# For non-released -rc kernels, this will be appended after the rcX and
|
||||
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
||||
#
|
||||
%global baserelease 1
|
||||
%global baserelease 2
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# base_sublevel is the kernel version we're starting with and patching
|
||||
|
@ -718,6 +718,11 @@ Patch22070: net-Allow-driver-to-limit-number-of-GSO-segments-per-skb.patch
|
|||
Patch22071: sfc-Fix-maximum-number-of-TSO-segments-and-minimum-TX-queue-size.patch
|
||||
Patch22072: tcp-Apply-device-TSO-segment-limit-earlier.patch
|
||||
|
||||
Patch22075: af_netlink-credentials-cve-2012-3520.patch
|
||||
|
||||
#Patches from the 3.4.10 stable queue
|
||||
Patch22100: linux-3.4.10-queue.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -1341,6 +1346,11 @@ ApplyPatch net-Allow-driver-to-limit-number-of-GSO-segments-per-skb.patch
|
|||
ApplyPatch sfc-Fix-maximum-number-of-TSO-segments-and-minimum-TX-queue-size.patch
|
||||
ApplyPatch tcp-Apply-device-TSO-segment-limit-earlier.patch
|
||||
|
||||
ApplyPatch af_netlink-credentials-cve-2012-3520.patch
|
||||
|
||||
#Patches from the 3.4.10 stable queue
|
||||
ApplyPatch linux-3.4.10-queue.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
@ -2039,6 +2049,10 @@ fi
|
|||
# and build.
|
||||
|
||||
%changelog
|
||||
* Thu Aug 23 2012 Justin M. Forbes <jforbes@redhat.com> 3.4.9-2
|
||||
- af_netlink: force credentials passing [CVE-2012-3520]
|
||||
- Add patches from 3.4.10 queue
|
||||
|
||||
* Wed Aug 15 2012 Justin M. Forbes <jforbes@redhat.com> 3.4.9-1
|
||||
- Linux 3.4.9
|
||||
|
||||
|
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue