[kernel] r19771 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Tue Jan 22 06:49:08 UTC 2013
Author: dannf
Date: Tue Jan 22 06:49:07 2013
New Revision: 19771
Log:
* exec: do not leave bprm->interp on stack (CVE-2012-4530)
* exec: use -ELOOP for max recursion depth (CVE-2012-4530)
Added:
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/exec-do-not-leave-bprm-interp-on-stack.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/exec-use-ELOOP-for-max-recursion-depth.patch
Modified:
dists/squeeze-security/linux-2.6/debian/changelog
dists/squeeze-security/linux-2.6/debian/patches/series/47squeeze1
Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog Tue Jan 22 06:45:29 2013 (r19770)
+++ dists/squeeze-security/linux-2.6/debian/changelog Tue Jan 22 06:49:07 2013 (r19771)
@@ -3,6 +3,8 @@
* kmod: make __request_module() killable (CVE-2012-4398)
* inet: add RCU protection to inet->opt (CVE-2012-3552)
* net: fix divide by zero in tcp algorithm illinois (CVE-2012-4565)
+ * exec: do not leave bprm->interp on stack (CVE-2012-4530)
+ * exec: use -ELOOP for max recursion depth (CVE-2012-4530)
-- dann frazier <dannf at debian.org> Mon, 22 Oct 2012 20:34:13 -0500
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/exec-do-not-leave-bprm-interp-on-stack.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/exec-do-not-leave-bprm-interp-on-stack.patch Tue Jan 22 06:49:07 2013 (r19771)
@@ -0,0 +1,113 @@
+commit b66c5984017533316fd1951770302649baf1aa33
+Author: Kees Cook <keescook at chromium.org>
+Date: Thu Dec 20 15:05:16 2012 -0800
+
+ exec: do not leave bprm->interp on stack
+
+ If a series of scripts are executed, each triggering module loading via
+ unprintable bytes in the script header, kernel stack contents can leak
+ into the command line.
+
+ Normally execution of binfmt_script and binfmt_misc happens recursively.
+ However, when modules are enabled, and unprintable bytes exist in the
+ bprm->buf, execution will restart after attempting to load matching
+ binfmt modules. Unfortunately, the logic in binfmt_script and
+ binfmt_misc does not expect to get restarted. They leave bprm->interp
+ pointing to their local stack. This means on restart bprm->interp is
+ left pointing into unused stack memory which can then be copied into the
+ userspace argv areas.
+
+ After additional study, it seems that both recursion and restart remains
+ the desirable way to handle exec with scripts, misc, and modules. As
+ such, we need to protect the changes to interp.
+
+ This changes the logic to require allocation for any changes to the
+ bprm->interp. To avoid adding a new kmalloc to every exec, the default
+ value is left as-is. Only when passing through binfmt_script or
+ binfmt_misc does an allocation take place.
+
+ For a proof of concept, see DoTest.sh from:
+
+ http://www.halfdog.net/Security/2012/LinuxKernelBinfmtScriptStackDataDisclosure/
+
+ Signed-off-by: Kees Cook <keescook at chromium.org>
+ Cc: halfdog <me at halfdog.net>
+ Cc: P J P <ppandit at redhat.com>
+ Cc: Alexander Viro <viro at zeniv.linux.org.uk>
+ Cc: <stable at vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c
+index 42b60b0..fb93997 100644
+--- a/fs/binfmt_misc.c
++++ b/fs/binfmt_misc.c
+@@ -176,7 +176,10 @@ static int load_misc_binary(struct linux_binprm *bprm, struct pt_regs *regs)
+ goto _error;
+ bprm->argc ++;
+
+- bprm->interp = iname; /* for binfmt_script */
++ /* Update interp in case binfmt_script needs it. */
++ retval = bprm_change_interp(iname, bprm);
++ if (retval < 0)
++ goto _error;
+
+ interp_file = open_exec (iname);
+ retval = PTR_ERR (interp_file);
+diff --git a/fs/binfmt_script.c b/fs/binfmt_script.c
+index 0834350..356568c 100644
+--- a/fs/binfmt_script.c
++++ b/fs/binfmt_script.c
+@@ -82,7 +82,9 @@ static int load_script(struct linux_binprm *bprm,struct pt_regs *regs)
+ retval = copy_strings_kernel(1, &i_name, bprm);
+ if (retval) return retval;
+ bprm->argc++;
+- bprm->interp = interp;
++ retval = bprm_change_interp(interp, bprm);
++ if (retval < 0)
++ return retval;
+
+ /*
+ * OK, now restart the process with the interpreter's dentry.
+diff --git a/fs/exec.c b/fs/exec.c
+index 5cfac92..47bb117 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -1109,9 +1109,24 @@ void free_bprm(struct linux_binprm *bprm)
+ mutex_unlock(¤t->cred_guard_mutex);
+ abort_creds(bprm->cred);
+ }
++ /* If a binfmt changed the interp, free it. */
++ if (bprm->interp != bprm->filename)
++ kfree(bprm->interp);
+ kfree(bprm);
+ }
+
++int bprm_change_interp(char *interp, struct linux_binprm *bprm)
++{
++ /* If a binfmt changed the interp, free it first. */
++ if (bprm->interp != bprm->filename)
++ kfree(bprm->interp);
++ bprm->interp = kstrdup(interp, GFP_KERNEL);
++ if (!bprm->interp)
++ return -ENOMEM;
++ return 0;
++}
++EXPORT_SYMBOL(bprm_change_interp);
++
+ /*
+ * install the new credentials for this executable
+ */
+diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h
+index c64c497..ff17462 100644
+--- a/include/linux/binfmts.h
++++ b/include/linux/binfmts.h
+@@ -120,6 +120,7 @@ extern int setup_arg_pages(struct linux_binprm * bprm,
+ unsigned long stack_top,
+ int executable_stack);
+ extern int bprm_mm_init(struct linux_binprm *bprm);
++extern int bprm_change_interp(char *interp, struct linux_binprm *bprm);
+ extern int copy_strings_kernel(int argc,char ** argv,struct linux_binprm *bprm);
+ extern int prepare_bprm_creds(struct linux_binprm *bprm);
+ extern void install_exec_creds(struct linux_binprm *bprm);
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/exec-use-ELOOP-for-max-recursion-depth.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/exec-use-ELOOP-for-max-recursion-depth.patch Tue Jan 22 06:49:07 2013 (r19771)
@@ -0,0 +1,137 @@
+commit d740269867021faf4ce38a449353d2b986c34a67
+Author: Kees Cook <keescook at chromium.org>
+Date: Mon Dec 17 16:03:20 2012 -0800
+
+ exec: use -ELOOP for max recursion depth
+
+ To avoid an explosion of request_module calls on a chain of abusive
+ scripts, fail maximum recursion with -ELOOP instead of -ENOEXEC. As soon
+ as maximum recursion depth is hit, the error will fail all the way back
+ up the chain, aborting immediately.
+
+ This also has the side-effect of stopping the user's shell from attempting
+ to reexecute the top-level file as a shell script. As seen in the
+ dash source:
+
+ if (cmd != path_bshell && errno == ENOEXEC) {
+ *argv-- = cmd;
+ *argv = cmd = path_bshell;
+ goto repeat;
+ }
+
+ The above logic was designed for running scripts automatically that lacked
+ the "#!" header, not to re-try failed recursion. On a legitimate -ENOEXEC,
+ things continue to behave as the shell expects.
+
+ Additionally, when tracking recursion, the binfmt handlers should not be
+ involved. The recursion being tracked is the depth of calls through
+ search_binary_handler(), so that function should be exclusively responsible
+ for tracking the depth.
+
+ Signed-off-by: Kees Cook <keescook at chromium.org>
+ Cc: halfdog <me at halfdog.net>
+ Cc: P J P <ppandit at redhat.com>
+ Cc: Alexander Viro <viro at zeniv.linux.org.uk>
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/fs/binfmt_em86.c b/fs/binfmt_em86.c
+index 32fb00b..416dcae 100644
+--- a/fs/binfmt_em86.c
++++ b/fs/binfmt_em86.c
+@@ -43,7 +43,6 @@ static int load_em86(struct linux_binprm *bprm,struct pt_regs *regs)
+ return -ENOEXEC;
+ }
+
+- bprm->recursion_depth++; /* Well, the bang-shell is implicit... */
+ allow_write_access(bprm->file);
+ fput(bprm->file);
+ bprm->file = NULL;
+diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c
+index fb93997..258c5ca 100644
+--- a/fs/binfmt_misc.c
++++ b/fs/binfmt_misc.c
+@@ -116,10 +116,6 @@ static int load_misc_binary(struct linux_binprm *bprm, struct pt_regs *regs)
+ if (!enabled)
+ goto _ret;
+
+- retval = -ENOEXEC;
+- if (bprm->recursion_depth > BINPRM_MAX_RECURSION)
+- goto _ret;
+-
+ /* to keep locking time low, we copy the interpreter string */
+ read_lock(&entries_lock);
+ fmt = check_file(bprm);
+@@ -200,8 +196,6 @@ static int load_misc_binary(struct linux_binprm *bprm, struct pt_regs *regs)
+ if (retval < 0)
+ goto _error;
+
+- bprm->recursion_depth++;
+-
+ retval = search_binary_handler (bprm, regs);
+ if (retval < 0)
+ goto _error;
+diff --git a/fs/binfmt_script.c b/fs/binfmt_script.c
+index 356568c..4fe6b8a 100644
+--- a/fs/binfmt_script.c
++++ b/fs/binfmt_script.c
+@@ -22,15 +22,13 @@ static int load_script(struct linux_binprm *bprm,struct pt_regs *regs)
+ char interp[BINPRM_BUF_SIZE];
+ int retval;
+
+- if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!') ||
+- (bprm->recursion_depth > BINPRM_MAX_RECURSION))
++ if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!'))
+ return -ENOEXEC;
+ /*
+ * This section does the #! interpretation.
+ * Sorta complicated, but hopefully it will work. -TYT
+ */
+
+- bprm->recursion_depth++;
+ allow_write_access(bprm->file);
+ fput(bprm->file);
+ bprm->file = NULL;
+diff --git a/fs/exec.c b/fs/exec.c
+index 47bb117..fd1efbe 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -1286,6 +1286,10 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
+ int try,retval;
+ struct linux_binfmt *fmt;
+
++ /* This allows 4 levels of binfmt rewrites before failing hard. */
++ if (depth > 5)
++ return -ELOOP;
++
+ retval = security_bprm_check(bprm);
+ if (retval)
+ return retval;
+@@ -1307,12 +1311,8 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
+ if (!try_module_get(fmt->module))
+ continue;
+ read_unlock(&binfmt_lock);
++ bprm->recursion_depth = depth + 1;
+ retval = fn(bprm, regs);
+- /*
+- * Restore the depth counter to its starting value
+- * in this call, so we don't have to rely on every
+- * load_binary function to restore it on return.
+- */
+ bprm->recursion_depth = depth;
+ if (retval >= 0) {
+ if (depth == 0)
+diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h
+index ff17462..c0de775 100644
+--- a/include/linux/binfmts.h
++++ b/include/linux/binfmts.h
+@@ -69,8 +69,6 @@ extern struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
+ #define BINPRM_FLAGS_EXECFD_BIT 1
+ #define BINPRM_FLAGS_EXECFD (1 << BINPRM_FLAGS_EXECFD_BIT)
+
+-#define BINPRM_MAX_RECURSION 4
+-
+ /*
+ * This structure defines the functions that are used to load the binary formats that
+ * linux accepts.
Modified: dists/squeeze-security/linux-2.6/debian/patches/series/47squeeze1
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/47squeeze1 Tue Jan 22 06:45:29 2013 (r19770)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/47squeeze1 Tue Jan 22 06:49:07 2013 (r19771)
@@ -6,3 +6,5 @@
+ bugfix/all/inet-add-RCU-protection-to-inet-opt.patch
+ debian/inet-Avoid-ABI-change-from-fix-for-CVE-2012-3552.patch
+ bugfix/all/net-fix-divide-by-zero-in-tcp-algorithm-illinois.patch
++ bugfix/all/exec-do-not-leave-bprm-interp-on-stack.patch
++ bugfix/all/exec-use-ELOOP-for-max-recursion-depth.patch
More information about the Kernel-svn-changes
mailing list