From 599c33a1f68973495cbae5547dc11eb9717717db Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 22 Apr 2013 09:57:18 -0700 Subject: [PATCH] 3.8-stable patches added patches: perf-treat-attr.config-as-u64-in-perf_swevent_init.patch perf-x86-fix-offcore_rsp-valid-mask-for-snb-ivb.patch userns-changing-any-namespace-id-mappings-should-require-privileges.patch userns-check-uid_map-s-opener-s-fsuid-not-the-current-fsuid.patch userns-don-t-let-unprivileged-users-trick-privileged-users-into-setting-the-id_map.patch --- ...r.config-as-u64-in-perf_swevent_init.patch | 41 ++++++++++ ...x-offcore_rsp-valid-mask-for-snb-ivb.patch | 79 +++++++++++++++++++ queue-3.8/series | 5 ++ ...d-mappings-should-require-privileges.patch | 40 ++++++++++ ...opener-s-fsuid-not-the-current-fsuid.patch | 33 ++++++++ ...ileged-users-into-setting-the-id_map.patch | 75 ++++++++++++++++++ 6 files changed, 273 insertions(+) create mode 100644 queue-3.8/perf-treat-attr.config-as-u64-in-perf_swevent_init.patch create mode 100644 queue-3.8/perf-x86-fix-offcore_rsp-valid-mask-for-snb-ivb.patch create mode 100644 queue-3.8/userns-changing-any-namespace-id-mappings-should-require-privileges.patch create mode 100644 queue-3.8/userns-check-uid_map-s-opener-s-fsuid-not-the-current-fsuid.patch create mode 100644 queue-3.8/userns-don-t-let-unprivileged-users-trick-privileged-users-into-setting-the-id_map.patch diff --git a/queue-3.8/perf-treat-attr.config-as-u64-in-perf_swevent_init.patch b/queue-3.8/perf-treat-attr.config-as-u64-in-perf_swevent_init.patch new file mode 100644 index 00000000000..e8fbb4195e9 --- /dev/null +++ b/queue-3.8/perf-treat-attr.config-as-u64-in-perf_swevent_init.patch @@ -0,0 +1,41 @@ +From 8176cced706b5e5d15887584150764894e94e02f Mon Sep 17 00:00:00 2001 +From: Tommi Rantala +Date: Sat, 13 Apr 2013 22:49:14 +0300 +Subject: perf: Treat attr.config as u64 in perf_swevent_init() + +From: Tommi Rantala + +commit 8176cced706b5e5d15887584150764894e94e02f upstream. + +Trinity discovered that we fail to check all 64 bits of +attr.config passed by user space, resulting to out-of-bounds +access of the perf_swevent_enabled array in +sw_perf_event_destroy(). + +Introduced in commit b0a873ebb ("perf: Register PMU +implementations"). + +Signed-off-by: Tommi Rantala +Cc: Peter Zijlstra +Cc: davej@redhat.com +Cc: Paul Mackerras +Cc: Arnaldo Carvalho de Melo +Link: http://lkml.kernel.org/r/1365882554-30259-1-git-send-email-tt.rantala@gmail.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/events/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -5328,7 +5328,7 @@ static void sw_perf_event_destroy(struct + + static int perf_swevent_init(struct perf_event *event) + { +- int event_id = event->attr.config; ++ u64 event_id = event->attr.config; + + if (event->attr.type != PERF_TYPE_SOFTWARE) + return -ENOENT; diff --git a/queue-3.8/perf-x86-fix-offcore_rsp-valid-mask-for-snb-ivb.patch b/queue-3.8/perf-x86-fix-offcore_rsp-valid-mask-for-snb-ivb.patch new file mode 100644 index 00000000000..53eaa75839f --- /dev/null +++ b/queue-3.8/perf-x86-fix-offcore_rsp-valid-mask-for-snb-ivb.patch @@ -0,0 +1,79 @@ +From f1923820c447e986a9da0fc6bf60c1dccdf0408e Mon Sep 17 00:00:00 2001 +From: Stephane Eranian +Date: Tue, 16 Apr 2013 13:51:43 +0200 +Subject: perf/x86: Fix offcore_rsp valid mask for SNB/IVB + +From: Stephane Eranian + +commit f1923820c447e986a9da0fc6bf60c1dccdf0408e upstream. + +The valid mask for both offcore_response_0 and +offcore_response_1 was wrong for SNB/SNB-EP, +IVB/IVB-EP. It was possible to write to +reserved bit and cause a GP fault crashing +the kernel. + +This patch fixes the problem by correctly marking the +reserved bits in the valid mask for all the processors +mentioned above. + +A distinction between desktop and server parts is introduced +because bits 24-30 are only available on the server parts. + +This version of the patch is just a rebase to perf/urgent tree +and should apply to older kernels as well. + +Signed-off-by: Stephane Eranian +Cc: peterz@infradead.org +Cc: jolsa@redhat.com +Cc: ak@linux.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/perf_event_intel.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +--- a/arch/x86/kernel/cpu/perf_event_intel.c ++++ b/arch/x86/kernel/cpu/perf_event_intel.c +@@ -128,8 +128,14 @@ static struct event_constraint intel_gen + }; + + static struct extra_reg intel_snb_extra_regs[] __read_mostly = { +- INTEL_EVENT_EXTRA_REG(0xb7, MSR_OFFCORE_RSP_0, 0x3fffffffffull, RSP_0), +- INTEL_EVENT_EXTRA_REG(0xbb, MSR_OFFCORE_RSP_1, 0x3fffffffffull, RSP_1), ++ INTEL_EVENT_EXTRA_REG(0xb7, MSR_OFFCORE_RSP_0, 0x3f807f8fffull, RSP_0), ++ INTEL_EVENT_EXTRA_REG(0xbb, MSR_OFFCORE_RSP_1, 0x3f807f8fffull, RSP_1), ++ EVENT_EXTRA_END ++}; ++ ++static struct extra_reg intel_snbep_extra_regs[] __read_mostly = { ++ INTEL_EVENT_EXTRA_REG(0xb7, MSR_OFFCORE_RSP_0, 0x3fffff8fffull, RSP_0), ++ INTEL_EVENT_EXTRA_REG(0xbb, MSR_OFFCORE_RSP_1, 0x3fffff8fffull, RSP_1), + EVENT_EXTRA_END + }; + +@@ -2072,7 +2078,10 @@ __init int intel_pmu_init(void) + x86_pmu.event_constraints = intel_snb_event_constraints; + x86_pmu.pebs_constraints = intel_snb_pebs_event_constraints; + x86_pmu.pebs_aliases = intel_pebs_aliases_snb; +- x86_pmu.extra_regs = intel_snb_extra_regs; ++ if (boot_cpu_data.x86_model == 45) ++ x86_pmu.extra_regs = intel_snbep_extra_regs; ++ else ++ x86_pmu.extra_regs = intel_snb_extra_regs; + /* all extra regs are per-cpu when HT is on */ + x86_pmu.er_flags |= ERF_HAS_RSP_1; + x86_pmu.er_flags |= ERF_NO_HT_SHARING; +@@ -2098,7 +2107,10 @@ __init int intel_pmu_init(void) + x86_pmu.event_constraints = intel_snb_event_constraints; + x86_pmu.pebs_constraints = intel_ivb_pebs_event_constraints; + x86_pmu.pebs_aliases = intel_pebs_aliases_snb; +- x86_pmu.extra_regs = intel_snb_extra_regs; ++ if (boot_cpu_data.x86_model == 62) ++ x86_pmu.extra_regs = intel_snbep_extra_regs; ++ else ++ x86_pmu.extra_regs = intel_snb_extra_regs; + /* all extra regs are per-cpu when HT is on */ + x86_pmu.er_flags |= ERF_HAS_RSP_1; + x86_pmu.er_flags |= ERF_NO_HT_SHARING; diff --git a/queue-3.8/series b/queue-3.8/series index d34b83b7ab3..0ad0df9c11e 100644 --- a/queue-3.8/series +++ b/queue-3.8/series @@ -27,3 +27,8 @@ ath9k_hw-change-ar9580-initvals-to-fix-a-stability-issue.patch mac80211-fix-cfg80211-interaction-on-auth-assoc-request.patch ssb-implement-spurious-tone-avoidance.patch crypto-algif-suppress-sending-source-address-information.patch +perf-treat-attr.config-as-u64-in-perf_swevent_init.patch +perf-x86-fix-offcore_rsp-valid-mask-for-snb-ivb.patch +userns-don-t-let-unprivileged-users-trick-privileged-users-into-setting-the-id_map.patch +userns-check-uid_map-s-opener-s-fsuid-not-the-current-fsuid.patch +userns-changing-any-namespace-id-mappings-should-require-privileges.patch diff --git a/queue-3.8/userns-changing-any-namespace-id-mappings-should-require-privileges.patch b/queue-3.8/userns-changing-any-namespace-id-mappings-should-require-privileges.patch new file mode 100644 index 00000000000..5e29e63bdb3 --- /dev/null +++ b/queue-3.8/userns-changing-any-namespace-id-mappings-should-require-privileges.patch @@ -0,0 +1,40 @@ +From 41c21e351e79004dbb4efa4bc14a53a7e0af38c5 Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Sun, 14 Apr 2013 11:44:04 -0700 +Subject: userns: Changing any namespace id mappings should require privileges + +From: Andy Lutomirski + +commit 41c21e351e79004dbb4efa4bc14a53a7e0af38c5 upstream. + +Changing uid/gid/projid mappings doesn't change your id within the +namespace; it reconfigures the namespace. Unprivileged programs should +*not* be able to write these files. (We're also checking the privileges +on the wrong task.) + +Given the write-once nature of these files and the other security +checks, this is likely impossible to usefully exploit. + +Signed-off-by: Andy Lutomirski +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/user_namespace.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/kernel/user_namespace.c ++++ b/kernel/user_namespace.c +@@ -576,10 +576,10 @@ static ssize_t map_write(struct file *fi + if (map->nr_extents != 0) + goto out; + +- /* Require the appropriate privilege CAP_SETUID or CAP_SETGID +- * over the user namespace in order to set the id mapping. ++ /* ++ * Adjusting namespace settings requires capabilities on the target. + */ +- if (cap_valid(cap_setid) && !ns_capable(ns, cap_setid)) ++ if (cap_valid(cap_setid) && !file_ns_capable(file, ns, CAP_SYS_ADMIN)) + goto out; + + /* Get a buffer */ diff --git a/queue-3.8/userns-check-uid_map-s-opener-s-fsuid-not-the-current-fsuid.patch b/queue-3.8/userns-check-uid_map-s-opener-s-fsuid-not-the-current-fsuid.patch new file mode 100644 index 00000000000..7214d651d01 --- /dev/null +++ b/queue-3.8/userns-check-uid_map-s-opener-s-fsuid-not-the-current-fsuid.patch @@ -0,0 +1,33 @@ +From e3211c120a85b792978bcb4be7b2886df18d27f0 Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Sun, 14 Apr 2013 16:28:19 -0700 +Subject: userns: Check uid_map's opener's fsuid, not the current fsuid + +From: Andy Lutomirski + +commit e3211c120a85b792978bcb4be7b2886df18d27f0 upstream. + +Signed-off-by: Andy Lutomirski +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/user_namespace.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/user_namespace.c ++++ b/kernel/user_namespace.c +@@ -763,12 +763,12 @@ static bool new_idmap_permitted(const st + u32 id = new_map->extent[0].lower_first; + if (cap_setid == CAP_SETUID) { + kuid_t uid = make_kuid(ns->parent, id); +- if (uid_eq(uid, current_fsuid())) ++ if (uid_eq(uid, file->f_cred->fsuid)) + return true; + } + else if (cap_setid == CAP_SETGID) { + kgid_t gid = make_kgid(ns->parent, id); +- if (gid_eq(gid, current_fsgid())) ++ if (gid_eq(gid, file->f_cred->fsgid)) + return true; + } + } diff --git a/queue-3.8/userns-don-t-let-unprivileged-users-trick-privileged-users-into-setting-the-id_map.patch b/queue-3.8/userns-don-t-let-unprivileged-users-trick-privileged-users-into-setting-the-id_map.patch new file mode 100644 index 00000000000..cfab451e602 --- /dev/null +++ b/queue-3.8/userns-don-t-let-unprivileged-users-trick-privileged-users-into-setting-the-id_map.patch @@ -0,0 +1,75 @@ +From 6708075f104c3c9b04b23336bb0366ca30c3931b Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Sun, 14 Apr 2013 13:47:02 -0700 +Subject: userns: Don't let unprivileged users trick privileged users into setting the id_map + +From: "Eric W. Biederman" + +commit 6708075f104c3c9b04b23336bb0366ca30c3931b upstream. + +When we require privilege for setting /proc//uid_map or +/proc//gid_map no longer allow an unprivileged user to +open the file and pass it to a privileged program to write +to the file. + +Instead when privilege is required require both the opener and the +writer to have the necessary capabilities. + +I have tested this code and verified that setting /proc//uid_map +fails when an unprivileged user opens the file and a privielged user +attempts to set the mapping, that unprivileged users can still map +their own id, and that a privileged users can still setup an arbitrary +mapping. + +Reported-by: Andy Lutomirski +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Andy Lutomirski +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/user_namespace.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/kernel/user_namespace.c ++++ b/kernel/user_namespace.c +@@ -25,7 +25,8 @@ + + static struct kmem_cache *user_ns_cachep __read_mostly; + +-static bool new_idmap_permitted(struct user_namespace *ns, int cap_setid, ++static bool new_idmap_permitted(const struct file *file, ++ struct user_namespace *ns, int cap_setid, + struct uid_gid_map *map); + + static void set_cred_user_ns(struct cred *cred, struct user_namespace *user_ns) +@@ -666,7 +667,7 @@ static ssize_t map_write(struct file *fi + + ret = -EPERM; + /* Validate the user is allowed to use user id's mapped to. */ +- if (!new_idmap_permitted(ns, cap_setid, &new_map)) ++ if (!new_idmap_permitted(file, ns, cap_setid, &new_map)) + goto out; + + /* Map the lower ids from the parent user namespace to the +@@ -753,7 +754,8 @@ ssize_t proc_projid_map_write(struct fil + &ns->projid_map, &ns->parent->projid_map); + } + +-static bool new_idmap_permitted(struct user_namespace *ns, int cap_setid, ++static bool new_idmap_permitted(const struct file *file, ++ struct user_namespace *ns, int cap_setid, + struct uid_gid_map *new_map) + { + /* Allow mapping to your own filesystem ids */ +@@ -777,8 +779,10 @@ static bool new_idmap_permitted(struct u + + /* Allow the specified ids if we have the appropriate capability + * (CAP_SETUID or CAP_SETGID) over the parent user namespace. ++ * And the opener of the id file also had the approprpiate capability. + */ +- if (ns_capable(ns->parent, cap_setid)) ++ if (ns_capable(ns->parent, cap_setid) && ++ file_ns_capable(file, ns->parent, cap_setid)) + return true; + + return false; -- 2.47.3