rpms/kernel/devel ext4-fix-insufficient-checks-in-EXT4_IOC_MOVE_EXT.patch, NONE, 1.1 kernel.spec, 1.1869, 1.1870
Kyle McMartin
kyle at fedoraproject.org
Wed Dec 9 14:28:46 UTC 2009
- Previous message (by thread): rpms/automake/F-12 .cvsignore, 1.22, 1.23 automake.spec, 1.44, 1.45 sources, 1.22, 1.23
- Next message (by thread): rpms/kernel/F-12 ext4-fix-insufficient-checks-in-EXT4_IOC_MOVE_EXT.patch, NONE, 1.1 kernel.spec, 1.1951, 1.1952
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: kyle
Update of /cvs/pkgs/rpms/kernel/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv5541
Modified Files:
kernel.spec
Added Files:
ext4-fix-insufficient-checks-in-EXT4_IOC_MOVE_EXT.patch
Log Message:
* Wed Dec 09 2009 Kyle McMartin <kyle at redhat.com> 2.6.32-7
- ext4-fix-insufficient-checks-in-EXT4_IOC_MOVE_EXT.patch: CVE-2009-4131
fix insufficient permission checking which could result in arbitrary
data corruption by a local unprivileged user.
ext4-fix-insufficient-checks-in-EXT4_IOC_MOVE_EXT.patch:
ioctl.c | 28 ++++++++++++++++++----------
move_extent.c | 8 +++++++-
2 files changed, 25 insertions(+), 11 deletions(-)
--- NEW FILE ext4-fix-insufficient-checks-in-EXT4_IOC_MOVE_EXT.patch ---
>From 910123ba363623f15ffb5d05dd87bdf06d08c609 Mon Sep 17 00:00:00 2001
From: Akira Fujita <a-fujita at rs.jp.nec.com>
Date: Sun, 6 Dec 2009 23:38:31 -0500
Subject: [PATCH] ext4: Fix insufficient checks in EXT4_IOC_MOVE_EXT
This patch fixes three problems in the handling of the
EXT4_IOC_MOVE_EXT ioctl:
1. In current EXT4_IOC_MOVE_EXT, there are read access mode checks for
original and donor files, but they allow the illegal write access to
donor file, since donor file is overwritten by original file data. To
fix this problem, change access mode checks of original (r->r/w) and
donor (r->w) files.
2. Disallow the use of donor files that have a setuid or setgid bits.
3. Call mnt_want_write() and mnt_drop_write() before and after
ext4_move_extents() calling to get write access to a mount.
Signed-off-by: Akira Fujita <a-fujita at rs.jp.nec.com>
Signed-off-by: "Theodore Ts'o" <tytso at mit.edu>
---
fs/ext4/ioctl.c | 28 ++++++++++++++++++----------
fs/ext4/move_extent.c | 7 +++++++
2 files changed, 25 insertions(+), 10 deletions(-)
diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c
index c1cdf61..6cc8a09 100644
--- a/fs/ext4/ioctl.c
+++ b/fs/ext4/ioctl.c
@@ -221,31 +221,39 @@ setversion_out:
struct file *donor_filp;
int err;
+ if (!(filp->f_mode & FMODE_READ) ||
+ !(filp->f_mode & FMODE_WRITE))
+ return -EBADF;
+
if (copy_from_user(&me,
(struct move_extent __user *)arg, sizeof(me)))
return -EFAULT;
+ me.moved_len = 0;
donor_filp = fget(me.donor_fd);
if (!donor_filp)
return -EBADF;
- if (!capable(CAP_DAC_OVERRIDE)) {
- if ((current->real_cred->fsuid != inode->i_uid) ||
- !(inode->i_mode & S_IRUSR) ||
- !(donor_filp->f_dentry->d_inode->i_mode &
- S_IRUSR)) {
- fput(donor_filp);
- return -EACCES;
- }
+ if (!(donor_filp->f_mode & FMODE_WRITE)) {
+ err = -EBADF;
+ goto mext_out;
}
+ err = mnt_want_write(filp->f_path.mnt);
+ if (err)
+ goto mext_out;
+
err = ext4_move_extents(filp, donor_filp, me.orig_start,
me.donor_start, me.len, &me.moved_len);
- fput(donor_filp);
+ mnt_drop_write(filp->f_path.mnt);
+ if (me.moved_len > 0)
+ file_remove_suid(donor_filp);
if (copy_to_user((struct move_extent *)arg, &me, sizeof(me)))
- return -EFAULT;
+ err = -EFAULT;
+mext_out:
+ fput(donor_filp);
return err;
}
diff --git a/fs/ext4/move_extent.c b/fs/ext4/move_extent.c
index 25b6b14..0100ff9 100644
--- a/fs/ext4/move_extent.c
+++ b/fs/ext4/move_extent.c
@@ -985,6 +985,13 @@ mext_check_arguments(struct inode *orig_inode,
return -EINVAL;
}
+ if (donor_inode->i_mode & (S_ISUID|S_ISGID)) {
+ ext4_debug("ext4 move extent: suid or sgid is set"
+ " to donor file [ino:orig %lu, donor %lu]\n",
+ orig_inode->i_ino, donor_inode->i_ino);
+ return -EINVAL;
+ }
+
/* Ext4 move extent does not support swapfile */
if (IS_SWAPFILE(orig_inode) || IS_SWAPFILE(donor_inode)) {
ext4_debug("ext4 move extent: The argument files should "
--
1.6.5.2
Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/devel/kernel.spec,v
retrieving revision 1.1869
retrieving revision 1.1870
diff -u -p -r1.1869 -r1.1870
--- kernel.spec 9 Dec 2009 01:32:09 -0000 1.1869
+++ kernel.spec 9 Dec 2009 14:28:45 -0000 1.1870
@@ -727,6 +727,9 @@ Patch12010: linux-2.6-dell-laptop-rfkill
Patch12011: linux-2.6-block-silently-error-unsupported-empty-barriers-too.patch
Patch12013: linux-2.6-rfkill-all.patch
+# rhbz#544471
+Patch12014: ext4-fix-insufficient-checks-in-EXT4_IOC_MOVE_EXT.patch
+
%endif
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1342,6 +1345,9 @@ ApplyPatch linux-2.6-silence-acpi-blackl
# Patches headed upstream
ApplyPatch linux-2.6-rfkill-all.patch
+# rhbz#544471
+ApplyPatch ext4-fix-insufficient-checks-in-EXT4_IOC_MOVE_EXT.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -1997,6 +2003,11 @@ fi
# and build.
%changelog
+* Wed Dec 09 2009 Kyle McMartin <kyle at redhat.com> 2.6.32-7
+- ext4-fix-insufficient-checks-in-EXT4_IOC_MOVE_EXT.patch: CVE-2009-4131
+ fix insufficient permission checking which could result in arbitrary
+ data corruption by a local unprivileged user.
+
* Tue Dec 08 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.32-6
- Copy fix for #540580 from F-12.
- Previous message (by thread): rpms/automake/F-12 .cvsignore, 1.22, 1.23 automake.spec, 1.44, 1.45 sources, 1.22, 1.23
- Next message (by thread): rpms/kernel/F-12 ext4-fix-insufficient-checks-in-EXT4_IOC_MOVE_EXT.patch, NONE, 1.1 kernel.spec, 1.1951, 1.1952
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list