From 97d7a4e2526a3a5970c0973ad308ef34e9885926 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 6 Oct 2019 16:53:48 +0200 Subject: [PATCH] 4.14-stable patches added patches: smack-don-t-ignore-other-bprm-unsafe-flags-if-lsm_unsafe_ptrace-is-set.patch smack-use-gfp_nofs-while-holding-inode_smack-smk_lock.patch --- queue-4.14/series | 2 + ...fe-flags-if-lsm_unsafe_ptrace-is-set.patch | 50 ++++++++++++++ ...s-while-holding-inode_smack-smk_lock.patch | 66 +++++++++++++++++++ 3 files changed, 118 insertions(+) create mode 100644 queue-4.14/smack-don-t-ignore-other-bprm-unsafe-flags-if-lsm_unsafe_ptrace-is-set.patch create mode 100644 queue-4.14/smack-use-gfp_nofs-while-holding-inode_smack-smk_lock.patch diff --git a/queue-4.14/series b/queue-4.14/series index 0a044b7be59..fb6b418c6a2 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -62,3 +62,5 @@ xen-netfront-do-not-use-0u-as-error-return-value-for-xennet_fill_frags.patch tipc-fix-unlimited-bundling-of-small-messages.patch sch_cbq-validate-tca_cbq_wrropt-to-avoid-crash.patch ipv6-handle-missing-host-route-in-__ipv6_ifa_notify.patch +smack-don-t-ignore-other-bprm-unsafe-flags-if-lsm_unsafe_ptrace-is-set.patch +smack-use-gfp_nofs-while-holding-inode_smack-smk_lock.patch diff --git a/queue-4.14/smack-don-t-ignore-other-bprm-unsafe-flags-if-lsm_unsafe_ptrace-is-set.patch b/queue-4.14/smack-don-t-ignore-other-bprm-unsafe-flags-if-lsm_unsafe_ptrace-is-set.patch new file mode 100644 index 00000000000..a32a156d707 --- /dev/null +++ b/queue-4.14/smack-don-t-ignore-other-bprm-unsafe-flags-if-lsm_unsafe_ptrace-is-set.patch @@ -0,0 +1,50 @@ +From 3675f052b43ba51b99b85b073c7070e083f3e6fb Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Thu, 4 Jul 2019 20:44:44 +0200 +Subject: Smack: Don't ignore other bprm->unsafe flags if LSM_UNSAFE_PTRACE is set + +From: Jann Horn + +commit 3675f052b43ba51b99b85b073c7070e083f3e6fb upstream. + +There is a logic bug in the current smack_bprm_set_creds(): +If LSM_UNSAFE_PTRACE is set, but the ptrace state is deemed to be +acceptable (e.g. because the ptracer detached in the meantime), the other +->unsafe flags aren't checked. As far as I can tell, this means that +something like the following could work (but I haven't tested it): + + - task A: create task B with fork() + - task B: set NO_NEW_PRIVS + - task B: install a seccomp filter that makes open() return 0 under some + conditions + - task B: replace fd 0 with a malicious library + - task A: attach to task B with PTRACE_ATTACH + - task B: execve() a file with an SMACK64EXEC extended attribute + - task A: while task B is still in the middle of execve(), exit (which + destroys the ptrace relationship) + +Make sure that if any flags other than LSM_UNSAFE_PTRACE are set in +bprm->unsafe, we reject the execve(). + +Cc: stable@vger.kernel.org +Fixes: 5663884caab1 ("Smack: unify all ptrace accesses in the smack") +Signed-off-by: Jann Horn +Signed-off-by: Casey Schaufler +Signed-off-by: Greg Kroah-Hartman + +--- + security/smack/smack_lsm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -944,7 +944,8 @@ static int smack_bprm_set_creds(struct l + + if (rc != 0) + return rc; +- } else if (bprm->unsafe) ++ } ++ if (bprm->unsafe & ~LSM_UNSAFE_PTRACE) + return -EPERM; + + bsp->smk_task = isp->smk_task; diff --git a/queue-4.14/smack-use-gfp_nofs-while-holding-inode_smack-smk_lock.patch b/queue-4.14/smack-use-gfp_nofs-while-holding-inode_smack-smk_lock.patch new file mode 100644 index 00000000000..4b99d91de6f --- /dev/null +++ b/queue-4.14/smack-use-gfp_nofs-while-holding-inode_smack-smk_lock.patch @@ -0,0 +1,66 @@ +From e5bfad3d7acc5702f32aafeb388362994f4d7bd0 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Wed, 21 Aug 2019 22:54:41 -0700 +Subject: smack: use GFP_NOFS while holding inode_smack::smk_lock + +From: Eric Biggers + +commit e5bfad3d7acc5702f32aafeb388362994f4d7bd0 upstream. + +inode_smack::smk_lock is taken during smack_d_instantiate(), which is +called during a filesystem transaction when creating a file on ext4. +Therefore to avoid a deadlock, all code that takes this lock must use +GFP_NOFS, to prevent memory reclaim from waiting for the filesystem +transaction to complete. + +Reported-by: syzbot+0eefc1e06a77d327a056@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Signed-off-by: Casey Schaufler +Signed-off-by: Greg Kroah-Hartman + +--- + security/smack/smack_access.c | 6 +++--- + security/smack/smack_lsm.c | 2 +- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/security/smack/smack_access.c ++++ b/security/smack/smack_access.c +@@ -469,7 +469,7 @@ char *smk_parse_smack(const char *string + if (i == 0 || i >= SMK_LONGLABEL) + return ERR_PTR(-EINVAL); + +- smack = kzalloc(i + 1, GFP_KERNEL); ++ smack = kzalloc(i + 1, GFP_NOFS); + if (smack == NULL) + return ERR_PTR(-ENOMEM); + +@@ -504,7 +504,7 @@ int smk_netlbl_mls(int level, char *cats + if ((m & *cp) == 0) + continue; + rc = netlbl_catmap_setbit(&sap->attr.mls.cat, +- cat, GFP_KERNEL); ++ cat, GFP_NOFS); + if (rc < 0) { + netlbl_catmap_free(sap->attr.mls.cat); + return rc; +@@ -540,7 +540,7 @@ struct smack_known *smk_import_entry(con + if (skp != NULL) + goto freeout; + +- skp = kzalloc(sizeof(*skp), GFP_KERNEL); ++ skp = kzalloc(sizeof(*skp), GFP_NOFS); + if (skp == NULL) { + skp = ERR_PTR(-ENOMEM); + goto freeout; +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -269,7 +269,7 @@ static struct smack_known *smk_fetch(con + if (!(ip->i_opflags & IOP_XATTR)) + return ERR_PTR(-EOPNOTSUPP); + +- buffer = kzalloc(SMK_LONGLABEL, GFP_KERNEL); ++ buffer = kzalloc(SMK_LONGLABEL, GFP_NOFS); + if (buffer == NULL) + return ERR_PTR(-ENOMEM); + -- 2.47.2