From 3bd80a66288f4428b3b0d707e72f147a26c4feaa Mon Sep 17 00:00:00 2001 From: dann frazier Date: Mon, 26 Mar 2007 20:57:37 +0000 Subject: [PATCH 1/2] re-include the fix for CVE-2006-5753, which is an ABI breaker svn path=/dists/etch-security/linux-2.6/; revision=8399 --- debian/changelog | 10 + .../bugfix/listxattr-mem-corruption.patch | 441 ++++++++++++++++++ debian/patches/series/12etch1 | 1 + 3 files changed, 452 insertions(+) create mode 100644 debian/patches/bugfix/listxattr-mem-corruption.patch create mode 100644 debian/patches/series/12etch1 diff --git a/debian/changelog b/debian/changelog index f0d82ce9e..89fe3b787 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +linux-2.6 (2.6.18.dfsg.1-12etch1) UNRELEASED; urgency=low + + * bugfix/listxattr-mem-corruption.patch + [SECURITY] Fix userspace corruption vulnerability caused by + incorrectly promoted return values in bad_inode_ops + This patch changes the kernel ABI. + See CVE-2006-5753 + + -- dann frazier Mon, 26 Mar 2007 14:46:25 -0600 + linux-2.6 (2.6.18.dfsg.1-12) unstable; urgency=low [ Steve Langasek ] diff --git a/debian/patches/bugfix/listxattr-mem-corruption.patch b/debian/patches/bugfix/listxattr-mem-corruption.patch new file mode 100644 index 000000000..10f37da8a --- /dev/null +++ b/debian/patches/bugfix/listxattr-mem-corruption.patch @@ -0,0 +1,441 @@ +From: Eric Sandeen +Date: Sat, 6 Jan 2007 00:36:36 +0000 (-0800) +Subject: [PATCH] fix memory corruption from misinterpreted bad_inode_ops return values +X-Git-Tag: v2.6.20-rc4~60 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=be6aab0e9fa6d3c6d75aa1e38ac972d8b4ee82b8;hp=2723f9603a8f8bb2cd8c7b581f7c94b8d75e3837 + +[PATCH] fix memory corruption from misinterpreted bad_inode_ops return values + +CVE-2006-5753 is for a case where an inode can be marked bad, switching +the ops to bad_inode_ops, which are all connected as: + +static int return_EIO(void) +{ + return -EIO; +} + +#define EIO_ERROR ((void *) (return_EIO)) + +static struct inode_operations bad_inode_ops = +{ + .create = bad_inode_create +...etc... + +The problem here is that the void cast causes return types to not be +promoted, and for ops such as listxattr which expect more than 32 bits of +return value, the 32-bit -EIO is interpreted as a large positive 64-bit +number, i.e. 0x00000000fffffffa instead of 0xfffffffa. + +This goes particularly badly when the return value is taken as a number of +bytes to copy into, say, a user's buffer for example... + +I originally had coded up the fix by creating a return_EIO_ macro +for each return type, like this: + +static int return_EIO_int(void) +{ + return -EIO; +} +#define EIO_ERROR_INT ((void *) (return_EIO_int)) + +static struct inode_operations bad_inode_ops = +{ + .create = EIO_ERROR_INT, +...etc... + +but Al felt that it was probably better to create an EIO-returner for each +actual op signature. Since so few ops share a signature, I just went ahead +& created an EIO function for each individual file & inode op that returns +a value. + +Signed-off-by: Eric Sandeen +Cc: Al Viro +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +--- + +Backported to Debian's 2.6.18 by dann frazier + +--- linux-source-2.6.18/fs/bad_inode.c.orig 2006-09-19 21:42:06.000000000 -0600 ++++ linux-source-2.6.18/fs/bad_inode.c 2007-03-19 20:56:08.000000000 -0600 +@@ -14,61 +14,321 @@ + #include + #include + #include ++#include + +-static int return_EIO(void) ++ ++static loff_t bad_file_llseek(struct file *file, loff_t offset, int origin) ++{ ++ return -EIO; ++} ++ ++static ssize_t bad_file_read(struct file *filp, char __user *buf, ++ size_t size, loff_t *ppos) ++{ ++ return -EIO; ++} ++ ++static ssize_t bad_file_write(struct file *filp, const char __user *buf, ++ size_t siz, loff_t *ppos) ++{ ++ return -EIO; ++} ++ ++static ssize_t bad_file_aio_read(struct kiocb *iocb, char __user *buf, ++ size_t siz, loff_t pos) ++{ ++ return -EIO; ++} ++ ++static ssize_t bad_file_aio_write(struct kiocb *iocb, const char __user *buf, ++ size_t siz, loff_t pos) ++{ ++ return -EIO; ++} ++ ++static int bad_file_readdir(struct file *filp, void *dirent, filldir_t filldir) ++{ ++ return -EIO; ++} ++ ++static unsigned int bad_file_poll(struct file *filp, poll_table *wait) ++{ ++ return POLLERR; ++} ++ ++static int bad_file_ioctl (struct inode *inode, struct file *filp, ++ unsigned int cmd, unsigned long arg) ++{ ++ return -EIO; ++} ++ ++static long bad_file_unlocked_ioctl(struct file *file, unsigned cmd, ++ unsigned long arg) ++{ ++ return -EIO; ++} ++ ++static long bad_file_compat_ioctl(struct file *file, unsigned int cmd, ++ unsigned long arg) ++{ ++ return -EIO; ++} ++ ++static int bad_file_mmap(struct file *file, struct vm_area_struct *vma) ++{ ++ return -EIO; ++} ++ ++static int bad_file_open(struct inode *inode, struct file *filp) ++{ ++ return -EIO; ++} ++ ++static int bad_file_flush(struct file *file, fl_owner_t id) ++{ ++ return -EIO; ++} ++ ++static int bad_file_release(struct inode *inode, struct file *filp) ++{ ++ return -EIO; ++} ++ ++static int bad_file_fsync(struct file *file, struct dentry *dentry, ++ int datasync) ++{ ++ return -EIO; ++} ++ ++static int bad_file_aio_fsync(struct kiocb *iocb, int datasync) ++{ ++ return -EIO; ++} ++ ++static int bad_file_fasync(int fd, struct file *filp, int on) ++{ ++ return -EIO; ++} ++ ++static int bad_file_lock(struct file *file, int cmd, struct file_lock *fl) ++{ ++ return -EIO; ++} ++ ++static ssize_t bad_file_readv(struct file *filp, const struct iovec *iov, ++ unsigned long nr_segs, loff_t *ppos) ++{ ++ return -EIO; ++} ++ ++static ssize_t bad_file_writev(struct file *filp, const struct iovec *iov, ++ unsigned long nr_segs, loff_t *ppos) ++{ ++ return -EIO; ++} ++ ++static ssize_t bad_file_sendfile(struct file *in_file, loff_t *ppos, ++ size_t count, read_actor_t actor, void *target) ++{ ++ return -EIO; ++} ++ ++static ssize_t bad_file_sendpage(struct file *file, struct page *page, ++ int off, size_t len, loff_t *pos, int more) ++{ ++ return -EIO; ++} ++ ++static unsigned long bad_file_get_unmapped_area(struct file *file, ++ unsigned long addr, unsigned long len, ++ unsigned long pgoff, unsigned long flags) + { + return -EIO; + } + +-#define EIO_ERROR ((void *) (return_EIO)) ++static int bad_file_check_flags(int flags) ++{ ++ return -EIO; ++} ++ ++static int bad_file_dir_notify(struct file *file, unsigned long arg) ++{ ++ return -EIO; ++} ++ ++static int bad_file_flock(struct file *filp, int cmd, struct file_lock *fl) ++{ ++ return -EIO; ++} ++ ++static ssize_t bad_file_splice_write(struct pipe_inode_info *pipe, ++ struct file *out, loff_t *ppos, size_t len, ++ unsigned int flags) ++{ ++ return -EIO; ++} ++ ++static ssize_t bad_file_splice_read(struct file *in, loff_t *ppos, ++ struct pipe_inode_info *pipe, size_t len, ++ unsigned int flags) ++{ ++ return -EIO; ++} + + static const struct file_operations bad_file_ops = + { +- .llseek = EIO_ERROR, +- .aio_read = EIO_ERROR, +- .read = EIO_ERROR, +- .write = EIO_ERROR, +- .aio_write = EIO_ERROR, +- .readdir = EIO_ERROR, +- .poll = EIO_ERROR, +- .ioctl = EIO_ERROR, +- .mmap = EIO_ERROR, +- .open = EIO_ERROR, +- .flush = EIO_ERROR, +- .release = EIO_ERROR, +- .fsync = EIO_ERROR, +- .aio_fsync = EIO_ERROR, +- .fasync = EIO_ERROR, +- .lock = EIO_ERROR, +- .readv = EIO_ERROR, +- .writev = EIO_ERROR, +- .sendfile = EIO_ERROR, +- .sendpage = EIO_ERROR, +- .get_unmapped_area = EIO_ERROR, ++ .llseek = bad_file_llseek, ++ .read = bad_file_read, ++ .write = bad_file_write, ++ .aio_read = bad_file_aio_read, ++ .aio_write = bad_file_aio_write, ++ .readdir = bad_file_readdir, ++ .poll = bad_file_poll, ++ .ioctl = bad_file_ioctl, ++ .unlocked_ioctl = bad_file_unlocked_ioctl, ++ .compat_ioctl = bad_file_compat_ioctl, ++ .mmap = bad_file_mmap, ++ .open = bad_file_open, ++ .flush = bad_file_flush, ++ .release = bad_file_release, ++ .fsync = bad_file_fsync, ++ .aio_fsync = bad_file_aio_fsync, ++ .fasync = bad_file_fasync, ++ .lock = bad_file_lock, ++ .readv = bad_file_readv, ++ .writev = bad_file_writev, ++ .sendfile = bad_file_sendfile, ++ .sendpage = bad_file_sendpage, ++ .get_unmapped_area = bad_file_get_unmapped_area, ++ .check_flags = bad_file_check_flags, ++ .dir_notify = bad_file_dir_notify, ++ .flock = bad_file_flock, ++ .splice_write = bad_file_splice_write, ++ .splice_read = bad_file_splice_read, + }; + ++static int bad_inode_create (struct inode *dir, struct dentry *dentry, ++ int mode, struct nameidata *nd) ++{ ++ return -EIO; ++} ++ ++static struct dentry *bad_inode_lookup(struct inode *dir, ++ struct dentry *dentry, struct nameidata *nd) ++{ ++ return ERR_PTR(-EIO); ++} ++ ++static int bad_inode_link (struct dentry *old_dentry, struct inode *dir, ++ struct dentry *dentry) ++{ ++ return -EIO; ++} ++ ++static int bad_inode_unlink(struct inode *dir, struct dentry *dentry) ++{ ++ return -EIO; ++} ++ ++static int bad_inode_symlink (struct inode *dir, struct dentry *dentry, ++ const char *symname) ++{ ++ return -EIO; ++} ++ ++static int bad_inode_mkdir(struct inode *dir, struct dentry *dentry, ++ int mode) ++{ ++ return -EIO; ++} ++ ++static int bad_inode_rmdir (struct inode *dir, struct dentry *dentry) ++{ ++ return -EIO; ++} ++ ++static int bad_inode_mknod (struct inode *dir, struct dentry *dentry, ++ int mode, dev_t rdev) ++{ ++ return -EIO; ++} ++ ++static int bad_inode_rename (struct inode *old_dir, struct dentry *old_dentry, ++ struct inode *new_dir, struct dentry *new_dentry) ++{ ++ return -EIO; ++} ++ ++static int bad_inode_readlink(struct dentry *dentry, char __user *buffer, ++ int buflen) ++{ ++ return -EIO; ++} ++ ++static int bad_inode_permission(struct inode *inode, int mask, ++ struct nameidata *nd) ++{ ++ return -EIO; ++} ++ ++static int bad_inode_getattr(struct vfsmount *mnt, struct dentry *dentry, ++ struct kstat *stat) ++{ ++ return -EIO; ++} ++ ++static int bad_inode_setattr(struct dentry *direntry, struct iattr *attrs) ++{ ++ return -EIO; ++} ++ ++static int bad_inode_setxattr(struct dentry *dentry, const char *name, ++ const void *value, size_t size, int flags) ++{ ++ return -EIO; ++} ++ ++static ssize_t bad_inode_getxattr(struct dentry *dentry, const char *name, ++ void *buffer, size_t size) ++{ ++ return -EIO; ++} ++ ++static ssize_t bad_inode_listxattr(struct dentry *dentry, char *buffer, ++ size_t buffer_size) ++{ ++ return -EIO; ++} ++ ++static int bad_inode_removexattr(struct dentry *dentry, const char *name) ++{ ++ return -EIO; ++} ++ + static struct inode_operations bad_inode_ops = + { +- .create = EIO_ERROR, +- .lookup = EIO_ERROR, +- .link = EIO_ERROR, +- .unlink = EIO_ERROR, +- .symlink = EIO_ERROR, +- .mkdir = EIO_ERROR, +- .rmdir = EIO_ERROR, +- .mknod = EIO_ERROR, +- .rename = EIO_ERROR, +- .readlink = EIO_ERROR, ++ .create = bad_inode_create, ++ .lookup = bad_inode_lookup, ++ .link = bad_inode_link, ++ .unlink = bad_inode_unlink, ++ .symlink = bad_inode_symlink, ++ .mkdir = bad_inode_mkdir, ++ .rmdir = bad_inode_rmdir, ++ .mknod = bad_inode_mknod, ++ .rename = bad_inode_rename, ++ .readlink = bad_inode_readlink, + /* follow_link must be no-op, otherwise unmounting this inode + won't work */ +- .truncate = EIO_ERROR, +- .permission = EIO_ERROR, +- .getattr = EIO_ERROR, +- .setattr = EIO_ERROR, +- .setxattr = EIO_ERROR, +- .getxattr = EIO_ERROR, +- .listxattr = EIO_ERROR, +- .removexattr = EIO_ERROR, ++ /* put_link returns void */ ++ /* truncate returns void */ ++ .permission = bad_inode_permission, ++ .getattr = bad_inode_getattr, ++ .setattr = bad_inode_setattr, ++ .setxattr = bad_inode_setxattr, ++ .getxattr = bad_inode_getxattr, ++ .listxattr = bad_inode_listxattr, ++ .removexattr = bad_inode_removexattr, ++ /* truncate_range returns void */ + }; + + +@@ -90,7 +350,7 @@ + * on it to fail from this point on. + */ + +-void make_bad_inode(struct inode * inode) ++void make_bad_inode(struct inode *inode) + { + remove_inode_hash(inode); + +@@ -115,7 +375,7 @@ + * Returns true if the inode in question has been marked as bad. + */ + +-int is_bad_inode(struct inode * inode) ++int is_bad_inode(struct inode *inode) + { + return (inode->i_op == &bad_inode_ops); + } diff --git a/debian/patches/series/12etch1 b/debian/patches/series/12etch1 new file mode 100644 index 000000000..9adae0e13 --- /dev/null +++ b/debian/patches/series/12etch1 @@ -0,0 +1 @@ ++ bugfix/listxattr-mem-corruption.patch From 6fda70ba00a34a04b5a9aa39e7a8b858484d28c5 Mon Sep 17 00:00:00 2001 From: dann frazier Date: Wed, 4 Apr 2007 07:42:17 +0000 Subject: [PATCH 2/2] * bugfix/core-dump-unreadable-PT_INTERP.patch [SECURITY] Fix a vulnerability that allows local users to read otherwise unreadable (but executable) files by triggering a core dump. See CVE-2007-0958 svn path=/dists/etch-security/linux-2.6/; revision=8421 --- debian/changelog | 6 +- .../core-dump-unreadable-PT_INTERP.patch | 70 +++++++++++++++++++ debian/patches/series/12etch1 | 1 + 3 files changed, 76 insertions(+), 1 deletion(-) create mode 100644 debian/patches/bugfix/core-dump-unreadable-PT_INTERP.patch diff --git a/debian/changelog b/debian/changelog index 89fe3b787..c17640dd8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -5,8 +5,12 @@ linux-2.6 (2.6.18.dfsg.1-12etch1) UNRELEASED; urgency=low incorrectly promoted return values in bad_inode_ops This patch changes the kernel ABI. See CVE-2006-5753 + * bugfix/core-dump-unreadable-PT_INTERP.patch + [SECURITY] Fix a vulnerability that allows local users to read + otherwise unreadable (but executable) files by triggering a core dump. + See CVE-2007-0958 - -- dann frazier Mon, 26 Mar 2007 14:46:25 -0600 + -- dann frazier Wed, 04 Apr 2007 01:38:23 -0600 linux-2.6 (2.6.18.dfsg.1-12) unstable; urgency=low diff --git a/debian/patches/bugfix/core-dump-unreadable-PT_INTERP.patch b/debian/patches/bugfix/core-dump-unreadable-PT_INTERP.patch new file mode 100644 index 000000000..33c7c4fef --- /dev/null +++ b/debian/patches/bugfix/core-dump-unreadable-PT_INTERP.patch @@ -0,0 +1,70 @@ +From: Alexey Dobriyan +Date: Fri, 26 Jan 2007 08:57:16 +0000 (-0800) +Subject: [PATCH] core-dumping unreadable binaries via PT_INTERP +X-Git-Tag: v2.6.20-rc7^0~60 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=1fb844961818ce94e782acf6a96b92dc2303553b + +[PATCH] core-dumping unreadable binaries via PT_INTERP + +Proposed patch to fix #5 in +http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt +aka +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1073 + +To reproduce, do +* grab poc at the end of advisory. +* add line "eph.p_memsz = 4096;" after "eph.p_filesz = 4096;" + where first "4096" is something equal to or greater than 4096. +* ./poc /usr/bin/sudo && ls -l + +Here I get with 2.6.20-rc5: + + -rw------- 1 ad ad 102400 2007-01-15 19:17 core + ---s--x--x 2 root root 101820 2007-01-15 19:15 /usr/bin/sudo + +Check for MAY_READ like binfmt_misc.c does. + +Signed-off-by: Alexey Dobriyan +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +--- + +diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c +index 90461f4..669dbe5 100644 +--- a/fs/binfmt_elf.c ++++ b/fs/binfmt_elf.c +@@ -682,6 +682,15 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) + retval = PTR_ERR(interpreter); + if (IS_ERR(interpreter)) + goto out_free_interp; ++ ++ /* ++ * If the binary is not readable then enforce ++ * mm->dumpable = 0 regardless of the interpreter's ++ * permissions. ++ */ ++ if (file_permission(interpreter, MAY_READ) < 0) ++ bprm->interp_flags |= BINPRM_FLAGS_ENFORCE_NONDUMP; ++ + retval = kernel_read(interpreter, 0, bprm->buf, + BINPRM_BUF_SIZE); + if (retval != BINPRM_BUF_SIZE) { +diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c +index 6e6d456..a4d933a 100644 +--- a/fs/binfmt_elf_fdpic.c ++++ b/fs/binfmt_elf_fdpic.c +@@ -234,6 +234,14 @@ static int load_elf_fdpic_binary(struct linux_binprm *bprm, + goto error; + } + ++ /* ++ * If the binary is not readable then enforce ++ * mm->dumpable = 0 regardless of the interpreter's ++ * permissions. ++ */ ++ if (file_permission(interpreter, MAY_READ) < 0) ++ bprm->interp_flags |= BINPRM_FLAGS_ENFORCE_NONDUMP; ++ + retval = kernel_read(interpreter, 0, bprm->buf, + BINPRM_BUF_SIZE); + if (retval < 0) diff --git a/debian/patches/series/12etch1 b/debian/patches/series/12etch1 index 9adae0e13..18c5e89a7 100644 --- a/debian/patches/series/12etch1 +++ b/debian/patches/series/12etch1 @@ -1 +1,2 @@ + bugfix/listxattr-mem-corruption.patch ++ bugfix/core-dump-unreadable-PT_INTERP.patch