Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 10 Jun 2016 14:46:23 -0700
From: John Johansen <john.johansen@...onical.com>
To: oss-security@...ts.openwall.com
Cc: Jann Horn <jannh@...gle.com>, Tyler Hicks <tyhicks@...onical.com>,
 "security@...nel.org" <security@...nel.org>
Subject: [vs-plain] Linux kernel stack overflow via ecryptfs and
 /proc/$pid/environ

This is a forward notification of a local priv escalation flaw from
security@...nel.org to the OSS security list. The CRD was for
2016-06-08 14:00:00 UTC. Patches attached to the email.

The flaw in eCryptfs was assigned CVE-2016-1583.

If backporting these patches to kernels pre 4.6 you may need to
cherry-pick patch 6a480a7842545ec520a91730209ec0bae41694c1


From: Jann Horn <jannh@...gle.com>
To: security@...nel.org
Cc: Jann Horn <jannh@...gle.com>
Subject: [PATCH 2/3] ecryptfs: forbid opening files without mmap handler
Date: Wed,  1 Jun 2016 11:55:06 +0200
Message-Id: <1464774907-7753-2-git-send-email-jannh@...gle.com>
X-Mailer: git-send-email 2.8.0.rc3.226.g39d4020
In-Reply-To: <1464774907-7753-1-git-send-email-jannh@...gle.com>
References: <CAG48ez3HNCkbW0rFyQJqAvaLNxtLWTKMdPoo6TruYdkpE7oVvg@...l.gmail.com>
 <1464774907-7753-1-git-send-email-jannh@...gle.com>
X-Spam-Status: No, hits=-5.1 required=5 tests=DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VERIFIED
X-Spam-Checker-Version: SpamAssassin 3.4.0-outflux_revision__1.66__
X-Virus-Scanned: ClamAV using ClamSMTP
Envelope-To: kees@...flux.net
X-MIMEDefang-Filter: outflux$Revision: 1.316 $
X-HELO: www.outflux.net
X-Scanned-By: MIMEDefang 2.73

This prevents users from triggering an exploitable stack overflow
through a recursive invocation of pagefault handling that involves
mapping procfs files into virtual memory.

Signed-off-by: Jann Horn <jannh@...gle.com>
Cc: stable@...r.kernel.org
---
 fs/ecryptfs/kthread.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/fs/ecryptfs/kthread.c b/fs/ecryptfs/kthread.c
index 866bb18..e818f5a 100644
--- a/fs/ecryptfs/kthread.c
+++ b/fs/ecryptfs/kthread.c
@@ -25,6 +25,7 @@
 #include <linux/slab.h>
 #include <linux/wait.h>
 #include <linux/mount.h>
+#include <linux/file.h>
 #include "ecryptfs_kernel.h"
 
 struct ecryptfs_open_req {
@@ -147,7 +148,7 @@ int ecryptfs_privileged_open(struct file **lower_file,
 	flags |= IS_RDONLY(d_inode(lower_dentry)) ? O_RDONLY : O_RDWR;
 	(*lower_file) = dentry_open(&req.path, flags, cred);
 	if (!IS_ERR(*lower_file))
-		goto out;
+		goto have_file;
 	if ((flags & O_ACCMODE) == O_RDONLY) {
 		rc = PTR_ERR((*lower_file));
 		goto out;
@@ -165,8 +166,16 @@ int ecryptfs_privileged_open(struct file **lower_file,
 	mutex_unlock(&ecryptfs_kthread_ctl.mux);
 	wake_up(&ecryptfs_kthread_ctl.wait);
 	wait_for_completion(&req.done);
-	if (IS_ERR(*lower_file))
+	if (IS_ERR(*lower_file)) {
 		rc = PTR_ERR(*lower_file);
+		goto out;
+	}
+have_file:
+	if ((*lower_file)->f_op->mmap == NULL) {
+		fput(*lower_file);
+		*lower_file = NULL;
+		rc = -EMEDIUMTYPE;
+	}
 out:
 	return rc;
 }
-- 
2.8.0.rc3.226.g39d4020



[ CONTENT OF TYPE application/x-tar SKIPPED ]

From: Jann Horn <jannh@...gle.com>
To: security@...nel.org
Cc: Jann Horn <jannh@...gle.com>
Subject: [PATCH 1/3] proc: prevent stacking filesystems on top
Date: Wed,  1 Jun 2016 11:55:05 +0200
Message-Id: <1464774907-7753-1-git-send-email-jannh@...gle.com>
X-Mailer: git-send-email 2.8.0.rc3.226.g39d4020
In-Reply-To: <CAG48ez3HNCkbW0rFyQJqAvaLNxtLWTKMdPoo6TruYdkpE7oVvg@...l.gmail.com>
References: <CAG48ez3HNCkbW0rFyQJqAvaLNxtLWTKMdPoo6TruYdkpE7oVvg@...l.gmail.com>
X-Spam-Status: No, hits=-5.1 required=5 tests=DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VERIFIED
X-Spam-Checker-Version: SpamAssassin 3.4.0-outflux_revision__1.66__
X-Virus-Scanned: ClamAV using ClamSMTP
Envelope-To: kees@...flux.net
X-MIMEDefang-Filter: outflux$Revision: 1.316 $
X-HELO: www.outflux.net
X-Scanned-By: MIMEDefang 2.73

This prevents stacking filesystems (ecryptfs and overlayfs)
from using procfs as lower filesystem. There is too much magic
going on inside procfs, and there is no good reason to stack
stuff on top of procfs.

(For example, procfs does access checks in VFS open handlers,
and ecryptfs by design calls open handlers from a kernel
thread that doesn't drop privileges or so.)

Signed-off-by: Jann Horn <jannh@...gle.com>
Cc: stable@...r.kernel.org
---
 fs/proc/root.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/fs/proc/root.c b/fs/proc/root.c
index 55bc7d6..0670278 100644
--- a/fs/proc/root.c
+++ b/fs/proc/root.c
@@ -121,6 +121,13 @@ static struct dentry *proc_mount(struct file_system_type *fs_type,
 	if (IS_ERR(sb))
 		return ERR_CAST(sb);
 
+	/*
+	 * procfs isn't actually a stacking filesystem; however, there is
+	 * too much magic going on inside it to permit stacking things on
+	 * top of it
+	 */
+	sb->s_stack_depth = FILESYSTEM_MAX_STACK_DEPTH;
+
 	if (!proc_parse_options(options, ns)) {
 		deactivate_locked_super(sb);
 		return ERR_PTR(-EINVAL);
-- 
2.8.0.rc3.226.g39d4020



From: Jann Horn <jannh@...gle.com>
To: security@...nel.org
Cc: Jann Horn <jannh@...gle.com>
Subject: [PATCH 3/3] sched: panic on corrupted stack end
Date: Wed,  1 Jun 2016 11:55:07 +0200
Message-Id: <1464774907-7753-3-git-send-email-jannh@...gle.com>
X-Mailer: git-send-email 2.8.0.rc3.226.g39d4020
In-Reply-To: <1464774907-7753-1-git-send-email-jannh@...gle.com>
References: <CAG48ez3HNCkbW0rFyQJqAvaLNxtLWTKMdPoo6TruYdkpE7oVvg@...l.gmail.com>
 <1464774907-7753-1-git-send-email-jannh@...gle.com>
X-Spam-Status: No, hits=-5.1 required=5 tests=DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VERIFIED
X-Spam-Checker-Version: SpamAssassin 3.4.0-outflux_revision__1.66__
X-Virus-Scanned: ClamAV using ClamSMTP
Envelope-To: kees@...flux.net
X-MIMEDefang-Filter: outflux$Revision: 1.316 $
X-HELO: www.outflux.net
X-Scanned-By: MIMEDefang 2.73

Until now, hitting this BUG_ON caused a recursive oops (because oops
handling involves do_exit(), which calls into the scheduler, which in
turn raises an oops), which caused stuff below the stack to be
overwritten until a panic happened (e.g. via an oops in interrupt context,
caused by the overwritten CPU index in the thread_info).

Just panic directly.

Signed-off-by: Jann Horn <jannh@...gle.com>
---
 kernel/sched/core.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index 7f2cae4..8dbe9be 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -3156,7 +3156,8 @@ static noinline void __schedule_bug(struct task_struct *prev)
 static inline void schedule_debug(struct task_struct *prev)
 {
 #ifdef CONFIG_SCHED_STACK_END_CHECK
-	BUG_ON(task_stack_end_corrupted(prev));
+	if (task_stack_end_corrupted(prev))
+		panic("corrupted stack end detected inside scheduler\n");
 #endif
 
 	if (unlikely(in_atomic_preempt_off())) {
-- 
2.8.0.rc3.226.g39d4020



[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ