From: Pramod Gunjikar <pramod.gunjikar-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
To: linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Rajkumar Sivaprakasam
<rajkumar.sivaprakasam-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
Subject: Re: ibdiagnet: ibdiagnet /tmp clobbering vulnerability
Date: Mon, 15 Jul 2013 21:34:30 +0530 [thread overview]
Message-ID: <51E41D8E.4040503@oracle.com> (raw)
In-Reply-To: <51E3865C.7080105-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
Copying Rajkumar. Rajkumar is also in on this alias.
Thanks
Pramod
> Sending this on behalf of Rajkumar Sivaprakasam.
>
> Pramod
> <-------------------------------------------------------------------------------------->
>
>
> The diff of the proposed changes for fixing the CVE 2013-2561 is in
> the attachment to this mail. The diffs are based on
> ~kliteyn/ibutils.git.
> Please review the proposed changes for the fix. See below for the
> details about the issue and the proposed fix.
>
> Synopsis:
> CVE-2013-2561: ibdiagnet /tmp clobbering vulnerability
>
> Problem statement:
> The ibdiagnet utility creates many files in the /tmp/ directory.
> If any of these files exist already, they are deleted during
> initialization of the command except for,
>
> ibdiagnet.log
> ibdiagnet.db
> ibdiagnet_ibis.log
>
> These files, if present, are truncated to zero length and the
> relevant data written to it.
>
> A malicious user (non-privileged) can create a soft link with one
> or more of the above three files pointing to an important system file
> (example /etc/shadow), since /tmp/ has write access by everyone. The
> next time ibdiagnet is run as root, the command will just open the
> symlink truncating the system file and writing the ibdiagnet data in
> those file, possibly bringing down the system.
>
> Fix Summary:
> Remove the above files too in a way that does not impair the
> functionality. This breaks any symlink that was created by the
> malicious user preventing the data corruption. Since these files are
> always opened with the access mode 'w' (write, with file size
> truncated to 0) it is safe to delete these files and treats them
> similar to the other files.
>
> Fix Details:
> The ibdiagnet utility at the initialization path of the code
> (StartIBDIAG() in ibdebug.tcl) calls DeleteOldFiles() routine which
> deletes all the files that will be created by the utility, if they
> already exist. This routine however skips the ibdiagnet.log and
> ibdiagnet.db files.
>
> The ibdiagnet.log file is opened as soon as the command line
> arguments are parsed (in ParseArgv()) much before StartIBDIAG()
> routine is executed. This is done to log any errors encountered during
> the early initialization phase. If the DeleteOldFiles() deletes the
> log file latter, the utility will continue to write to the file but
> the entry will be removed from the directory name space. It will
> likely be deleted (inode and disk blocks) once we close the file. This
> is the reason DeleteOldFiles() explicitly skips this file. The
> proposed fix deletes any pre-existing file with the same name before
> the file is opened for logging in ParseArgv().
>
> The ibdiagnet.db file contains the IB subnet database in tcl
> source-able array format. This file can be used latter to load the
> subnet database without going through the subnet discovery phase. The
> sourcing of the subnet database file is done after the DeleteOldFiles()
> routine is executed. So if the input file is the default
> /tmp/ibdiagnet.db file and if we delete it, then the sourcing of the
> subnet database will fail. To prevent this from happening, currently
> the subnet database file is explicitly skipped by DeleteOldFiles().
> This opens the window for the symlink based system file clobbering
> when the file is written. The fix is to delete the ibdiagnet.db
> file just before opening for write. The file is deleted only if
> -load_db option is not given, since we do not want to delete the file
> unless we have done subnet discovery and need to write out the new
> subnet database.
>
> The ibdiagnet_ibis.log is the log file setup for IB interactive
> scripting interpreter (ibis) to log its messages. This is done very
> early in InitializeIBIS(). Also, this is not part of the list of files
> maintained by ibdiagnet utility. Hence it is not deleted by
> DeleteOldFiles(). The fix is to delete the file just before it is
> setup by ibdiagnet for ibis.
>
>
> Thanks
> Raj
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
prev parent reply other threads:[~2013-07-15 16:04 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-15 5:19 ibdiagnet: ibdiagnet /tmp clobbering vulnerability Pramod Gunjikar
[not found] ` <51E3865C.7080105-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
2013-07-15 6:25 ` Or Gerlitz
2013-07-15 16:04 ` Pramod Gunjikar [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51E41D8E.4040503@oracle.com \
--to=pramod.gunjikar-qhclzuegtsvqt0dzr+alfa@public.gmane.org \
--cc=linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=rajkumar.sivaprakasam-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.