From: Greg KH <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Tim Gardner <tim.gardner@canonical.com>,
John Johansen <john.johansen@canonical.com>, <stable@kernel.org>,
Tyler Hicks <tyler.hicks@canonical.com>
Subject: [ 13/34] Add mount option to check uid of device being mounted = expect uid, CVE-2011-1833
Date: Thu, 01 Mar 2012 13:39:35 -0800 [thread overview]
Message-ID: <20120301213924.357116491@linuxfoundation.org> (raw)
In-Reply-To: <20120301214654.GA13231@kroah.com>
2.6.32-longterm review patch. If anyone has any objections, please let me know.
------------------
From: John Johansen <john.johansen@canonical.com>
(backported from commit 764355487ea220fdc2faf128d577d7f679b91f97)
Close a TOCTOU race for mounts done via ecryptfs-mount-private. The mount
source (device) can be raced when the ownership test is done in userspace.
Provide Ecryptfs a means to force the uid check at mount time.
BugLink: http://bugs.launchpad.net/bugs/732628
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Tyler Hicks <tyler.hicks@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ecryptfs/main.c | 30 +++++++++++++++++++++++++-----
1 file changed, 25 insertions(+), 5 deletions(-)
--- a/fs/ecryptfs/main.c
+++ b/fs/ecryptfs/main.c
@@ -212,7 +212,8 @@ enum { ecryptfs_opt_sig, ecryptfs_opt_ec
ecryptfs_opt_passthrough, ecryptfs_opt_xattr_metadata,
ecryptfs_opt_encrypted_view, ecryptfs_opt_fnek_sig,
ecryptfs_opt_fn_cipher, ecryptfs_opt_fn_cipher_key_bytes,
- ecryptfs_opt_unlink_sigs, ecryptfs_opt_err };
+ ecryptfs_opt_unlink_sigs, ecryptfs_opt_check_dev_ruid,
+ ecryptfs_opt_err };
static const match_table_t tokens = {
{ecryptfs_opt_sig, "sig=%s"},
@@ -227,6 +228,7 @@ static const match_table_t tokens = {
{ecryptfs_opt_fn_cipher, "ecryptfs_fn_cipher=%s"},
{ecryptfs_opt_fn_cipher_key_bytes, "ecryptfs_fn_key_bytes=%u"},
{ecryptfs_opt_unlink_sigs, "ecryptfs_unlink_sigs"},
+ {ecryptfs_opt_check_dev_ruid, "ecryptfs_check_dev_ruid"},
{ecryptfs_opt_err, NULL}
};
@@ -270,6 +272,7 @@ static void ecryptfs_init_mount_crypt_st
* ecryptfs_parse_options
* @sb: The ecryptfs super block
* @options: The options pased to the kernel
+ * @check_ruid: set to 1 if device uid should be checked against the ruid
*
* Parse mount options:
* debug=N - ecryptfs_verbosity level for debug output
@@ -285,7 +288,8 @@ static void ecryptfs_init_mount_crypt_st
*
* Returns zero on success; non-zero on error
*/
-static int ecryptfs_parse_options(struct super_block *sb, char *options)
+static int ecryptfs_parse_options(struct super_block *sb, char *options,
+ uid_t *check_ruid)
{
char *p;
int rc = 0;
@@ -310,6 +314,8 @@ static int ecryptfs_parse_options(struct
char *cipher_key_bytes_src;
char *fn_cipher_key_bytes_src;
+ *check_ruid = 0;
+
if (!options) {
rc = -EINVAL;
goto out;
@@ -410,6 +416,9 @@ static int ecryptfs_parse_options(struct
case ecryptfs_opt_unlink_sigs:
mount_crypt_stat->flags |= ECRYPTFS_UNLINK_SIGS;
break;
+ case ecryptfs_opt_check_dev_ruid:
+ *check_ruid = 1;
+ break;
case ecryptfs_opt_err:
default:
printk(KERN_WARNING
@@ -552,7 +561,8 @@ out:
* ecryptfs_interpose to create our initial inode and super block
* struct.
*/
-static int ecryptfs_read_super(struct super_block *sb, const char *dev_name)
+static int ecryptfs_read_super(struct super_block *sb, const char *dev_name,
+ uid_t check_ruid)
{
struct path path;
int rc;
@@ -569,6 +579,15 @@ static int ecryptfs_read_super(struct su
"known incompatibilities\n");
goto out_free;
}
+
+ if (check_ruid && path.dentry->d_inode->i_uid != current_uid()) {
+ rc = -EPERM;
+ printk(KERN_ERR "Mount of device (uid: %d) not owned by "
+ "requested user (uid: %d)\n",
+ path.dentry->d_inode->i_uid, current_uid());
+ goto out_free;
+ }
+
ecryptfs_set_superblock_lower(sb, path.dentry->d_sb);
sb->s_maxbytes = path.dentry->d_sb->s_maxbytes;
sb->s_blocksize = path.dentry->d_sb->s_blocksize;
@@ -607,6 +626,7 @@ static int ecryptfs_get_sb(struct file_s
{
int rc;
struct super_block *sb;
+ uid_t check_ruid;
rc = get_sb_nodev(fs_type, flags, raw_data, ecryptfs_fill_super, mnt);
if (rc < 0) {
@@ -614,12 +634,12 @@ static int ecryptfs_get_sb(struct file_s
goto out;
}
sb = mnt->mnt_sb;
- rc = ecryptfs_parse_options(sb, raw_data);
+ rc = ecryptfs_parse_options(sb, raw_data, &check_ruid);
if (rc) {
printk(KERN_ERR "Error parsing options; rc = [%d]\n", rc);
goto out_abort;
}
- rc = ecryptfs_read_super(sb, dev_name);
+ rc = ecryptfs_read_super(sb, dev_name, check_ruid);
if (rc) {
printk(KERN_ERR "Reading sb failed; rc = [%d]\n", rc);
goto out_abort;
next prev parent reply other threads:[~2012-03-01 21:39 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-01 21:46 [ 00/34] 2.6.32.58-longterm review Greg KH
2012-03-01 21:39 ` [ 01/34] drm/i915: no lvds quirk for AOpen MP45 Greg KH
2012-03-01 21:39 ` [ 02/34] hwmon: (f75375s) Fix bit shifting in f75375_write16 Greg KH
2012-03-01 21:39 ` [ 03/34] lib: proportion: lower PROP_MAX_SHIFT to 32 on 64-bit kernel Greg KH
2012-03-05 15:06 ` Jan Kara
2012-03-05 21:31 ` Fengguang Wu
2012-03-06 20:35 ` Jan Kara
2012-03-07 5:14 ` Fengguang Wu
2012-03-01 21:39 ` [ 04/34] relay: prevent integer overflow in relay_open() Greg KH
2012-03-01 21:39 ` [ 05/34] mac80211: timeout a single frame in the rx reorder buffer Greg KH
2012-03-01 21:39 ` [ 06/34] kernel.h: fix wrong usage of __ratelimit() Greg KH
2012-03-01 21:39 ` [ 07/34] printk_ratelimited(): fix uninitialized spinlock Greg KH
2012-03-01 21:39 ` [ 08/34] hwmon: (f75375s) Fix automatic pwm mode setting for F75373 & F75375 Greg KH
2012-03-01 21:39 ` [ 09/34] crypto: sha512 - Use binary and instead of modulus Greg KH
2012-03-01 21:39 ` [ 10/34] crypto: sha512 - Avoid stack bloat on i386 Greg KH
2012-03-01 21:39 ` [ 11/34] eCryptfs: Remove mmap from directory operations Greg KH
2012-03-01 21:39 ` [ 12/34] Ban ecryptfs over ecryptfs Greg KH
2012-03-01 21:39 ` Greg KH [this message]
2012-03-01 21:39 ` [ 14/34] crypto: sha512 - use standard ror64() Greg KH
2012-03-01 21:39 ` [ 15/34] drm/radeon/kms: fix MSI re-arm on rv370+ Greg KH
2012-03-01 21:39 ` [ 16/34] ecryptfs: read on a directory should return EISDIR if not supported Greg KH
2012-03-01 21:39 ` [ 17/34] SCSI: 3w-9xxx fix bug in sgl loading Greg KH
2012-03-01 21:39 ` [ 18/34] ARM: 7321/1: cache-v7: Disable preemption when reading CCSIDR Greg KH
2012-03-01 21:39 ` [ 19/34] ARM: 7325/1: fix v7 boot with lockdep enabled Greg KH
2012-03-01 21:39 ` [ 20/34] USB: Added Kamstrup VID/PIDs to cp210x serial driver Greg KH
2012-03-01 21:39 ` [ 21/34] USB: Fix handoff when BIOS disables host PCI device Greg KH
2012-03-01 21:39 ` [ 22/34] xhci: Fix encoding for HS bulk/control NAK rate Greg KH
2012-03-01 21:39 ` [ 23/34] [media] hdpvr: fix race conditon during start of streaming Greg KH
2012-03-01 21:39 ` [ 24/34] eCryptfs: Use notify_change for truncating lower inodes Greg KH
2012-03-01 21:39 ` [ 25/34] eCryptfs: Remove extra d_delete in ecryptfs_rmdir Greg KH
2012-03-01 21:39 ` [ 26/34] eCryptfs: Clear i_nlink in rmdir Greg KH
2012-03-01 21:39 ` [ 27/34] cdrom: use copy_to_user() without the underscores Greg KH
2012-03-01 21:39 ` [ 28/34] autofs: work around unhappy compat problem on x86-64 Greg KH
2012-03-01 21:39 ` [ 29/34] Fix autofs compile without CONFIG_COMPAT Greg KH
2012-03-01 21:39 ` [ 30/34] compat: fix compile breakage on s390 Greg KH
2012-03-01 21:39 ` [ 31/34] PM: Print a warning if firmware is requested when tasks are frozen Greg KH
2012-03-01 21:39 ` [ 32/34] firmware loader: allow builtin firmware load even if usermodehelper is disabled Greg KH
2012-03-01 21:39 ` [ 33/34] PM / Sleep: Fix freezer failures due to racy usermodehelper_is_disabled() Greg KH
2012-03-01 21:39 ` [ 34/34] PM / Sleep: Fix read_unlock_usermodehelper() call Greg KH
2012-03-02 7:19 ` [ 00/34] 2.6.32.58-longterm review Willy Tarreau
2012-03-02 13:51 ` Stefan Bader
2012-03-02 15:37 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120301213924.357116491@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=john.johansen@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@kernel.org \
--cc=stable@vger.kernel.org \
--cc=tim.gardner@canonical.com \
--cc=torvalds@linux-foundation.org \
--cc=tyler.hicks@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).