From 9ee6f3866f07ce3a968c2744d932b8d00f2d14e2 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 12 Sep 2014 16:45:18 -0700 Subject: [PATCH] 3.10-stable patches added patches: capabilities-remove-undefined-caps-from-all-processes.patch tpm-missing-tpm_chip_put-in-tpm_get_random.patch --- ...ve-undefined-caps-from-all-processes.patch | 178 ++++++++++++++++++ queue-3.10/series | 2 + ...ssing-tpm_chip_put-in-tpm_get_random.patch | 48 +++++ 3 files changed, 228 insertions(+) create mode 100644 queue-3.10/capabilities-remove-undefined-caps-from-all-processes.patch create mode 100644 queue-3.10/tpm-missing-tpm_chip_put-in-tpm_get_random.patch diff --git a/queue-3.10/capabilities-remove-undefined-caps-from-all-processes.patch b/queue-3.10/capabilities-remove-undefined-caps-from-all-processes.patch new file mode 100644 index 00000000000..16efd63d308 --- /dev/null +++ b/queue-3.10/capabilities-remove-undefined-caps-from-all-processes.patch @@ -0,0 +1,178 @@ +From 7d8b6c63751cfbbe5eef81a48c22978b3407a3ad Mon Sep 17 00:00:00 2001 +From: Eric Paris +Date: Wed, 23 Jul 2014 15:36:26 -0400 +Subject: CAPABILITIES: remove undefined caps from all processes + +From: Eric Paris + +commit 7d8b6c63751cfbbe5eef81a48c22978b3407a3ad upstream. + +This is effectively a revert of 7b9a7ec565505699f503b4fcf61500dceb36e744 +plus fixing it a different way... + +We found, when trying to run an application from an application which +had dropped privs that the kernel does security checks on undefined +capability bits. This was ESPECIALLY difficult to debug as those +undefined bits are hidden from /proc/$PID/status. + +Consider a root application which drops all capabilities from ALL 4 +capability sets. We assume, since the application is going to set +eff/perm/inh from an array that it will clear not only the defined caps +less than CAP_LAST_CAP, but also the higher 28ish bits which are +undefined future capabilities. + +The BSET gets cleared differently. Instead it is cleared one bit at a +time. The problem here is that in security/commoncap.c::cap_task_prctl() +we actually check the validity of a capability being read. So any task +which attempts to 'read all things set in bset' followed by 'unset all +things set in bset' will not even attempt to unset the undefined bits +higher than CAP_LAST_CAP. + +So the 'parent' will look something like: +CapInh: 0000000000000000 +CapPrm: 0000000000000000 +CapEff: 0000000000000000 +CapBnd: ffffffc000000000 + +All of this 'should' be fine. Given that these are undefined bits that +aren't supposed to have anything to do with permissions. But they do... + +So lets now consider a task which cleared the eff/perm/inh completely +and cleared all of the valid caps in the bset (but not the invalid caps +it couldn't read out of the kernel). We know that this is exactly what +the libcap-ng library does and what the go capabilities library does. +They both leave you in that above situation if you try to clear all of +you capapabilities from all 4 sets. If that root task calls execve() +the child task will pick up all caps not blocked by the bset. The bset +however does not block bits higher than CAP_LAST_CAP. So now the child +task has bits in eff which are not in the parent. These are +'meaningless' undefined bits, but still bits which the parent doesn't +have. + +The problem is now in cred_cap_issubset() (or any operation which does a +subset test) as the child, while a subset for valid cap bits, is not a +subset for invalid cap bits! So now we set durring commit creds that +the child is not dumpable. Given it is 'more priv' than its parent. It +also means the parent cannot ptrace the child and other stupidity. + +The solution here: +1) stop hiding capability bits in status + This makes debugging easier! + +2) stop giving any task undefined capability bits. it's simple, it you +don't put those invalid bits in CAP_FULL_SET you won't get them in init +and you won't get them in any other task either. + This fixes the cap_issubset() tests and resulting fallout (which + made the init task in a docker container untraceable among other + things) + +3) mask out undefined bits when sys_capset() is called as it might use +~0, ~0 to denote 'all capabilities' for backward/forward compatibility. + This lets 'capsh --caps="all=eip" -- -c /bin/bash' run. + +4) mask out undefined bit when we read a file capability off of disk as +again likely all bits are set in the xattr for forward/backward +compatibility. + This lets 'setcap all+pe /bin/bash; /bin/bash' run + +Signed-off-by: Eric Paris +Reviewed-by: Kees Cook +Cc: Andrew Vagin +Cc: Andrew G. Morgan +Cc: Serge E. Hallyn +Cc: Kees Cook +Cc: Steve Grubb +Cc: Dan Walsh +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc/array.c | 11 +---------- + include/linux/capability.h | 5 ++++- + kernel/audit.c | 2 +- + kernel/capability.c | 4 ++++ + security/commoncap.c | 3 +++ + 5 files changed, 13 insertions(+), 12 deletions(-) + +--- a/fs/proc/array.c ++++ b/fs/proc/array.c +@@ -304,15 +304,11 @@ static void render_cap_t(struct seq_file + seq_puts(m, header); + CAP_FOR_EACH_U32(__capi) { + seq_printf(m, "%08x", +- a->cap[(_KERNEL_CAPABILITY_U32S-1) - __capi]); ++ a->cap[CAP_LAST_U32 - __capi]); + } + seq_putc(m, '\n'); + } + +-/* Remove non-existent capabilities */ +-#define NORM_CAPS(v) (v.cap[CAP_TO_INDEX(CAP_LAST_CAP)] &= \ +- CAP_TO_MASK(CAP_LAST_CAP + 1) - 1) +- + static inline void task_cap(struct seq_file *m, struct task_struct *p) + { + const struct cred *cred; +@@ -326,11 +322,6 @@ static inline void task_cap(struct seq_f + cap_bset = cred->cap_bset; + rcu_read_unlock(); + +- NORM_CAPS(cap_inheritable); +- NORM_CAPS(cap_permitted); +- NORM_CAPS(cap_effective); +- NORM_CAPS(cap_bset); +- + render_cap_t(m, "CapInh:\t", &cap_inheritable); + render_cap_t(m, "CapPrm:\t", &cap_permitted); + render_cap_t(m, "CapEff:\t", &cap_effective); +--- a/include/linux/capability.h ++++ b/include/linux/capability.h +@@ -78,8 +78,11 @@ extern const kernel_cap_t __cap_init_eff + # error Fix up hand-coded capability macro initializers + #else /* HAND-CODED capability initializers */ + ++#define CAP_LAST_U32 ((_KERNEL_CAPABILITY_U32S) - 1) ++#define CAP_LAST_U32_VALID_MASK (CAP_TO_MASK(CAP_LAST_CAP + 1) -1) ++ + # define CAP_EMPTY_SET ((kernel_cap_t){{ 0, 0 }}) +-# define CAP_FULL_SET ((kernel_cap_t){{ ~0, ~0 }}) ++# define CAP_FULL_SET ((kernel_cap_t){{ ~0, CAP_LAST_U32_VALID_MASK }}) + # define CAP_FS_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \ + | CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \ + CAP_FS_MASK_B1 } }) +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -1412,7 +1412,7 @@ void audit_log_cap(struct audit_buffer * + audit_log_format(ab, " %s=", prefix); + CAP_FOR_EACH_U32(i) { + audit_log_format(ab, "%08x", +- cap->cap[(_KERNEL_CAPABILITY_U32S-1) - i]); ++ cap->cap[CAP_LAST_U32 - i]); + } + } + +--- a/kernel/capability.c ++++ b/kernel/capability.c +@@ -268,6 +268,10 @@ SYSCALL_DEFINE2(capset, cap_user_header_ + i++; + } + ++ effective.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK; ++ permitted.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK; ++ inheritable.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK; ++ + new = prepare_creds(); + if (!new) + return -ENOMEM; +--- a/security/commoncap.c ++++ b/security/commoncap.c +@@ -421,6 +421,9 @@ int get_vfs_caps_from_disk(const struct + cpu_caps->inheritable.cap[i] = le32_to_cpu(caps.data[i].inheritable); + } + ++ cpu_caps->permitted.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK; ++ cpu_caps->inheritable.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK; ++ + return 0; + } + diff --git a/queue-3.10/series b/queue-3.10/series index 3555c9d9239..1e5fdc4cd3b 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -6,3 +6,5 @@ iommu-amd-fix-cleanup_domain-for-mass-device-removal.patch spi-orion-fix-incorrect-handling-of-cell-index-dt-property.patch spi-omap2-mcspi-configure-hardware-when-slave-driver-changes-mode.patch firmware-do-not-use-warn_on-spin_is_locked.patch +tpm-missing-tpm_chip_put-in-tpm_get_random.patch +capabilities-remove-undefined-caps-from-all-processes.patch diff --git a/queue-3.10/tpm-missing-tpm_chip_put-in-tpm_get_random.patch b/queue-3.10/tpm-missing-tpm_chip_put-in-tpm_get_random.patch new file mode 100644 index 00000000000..50de76067ee --- /dev/null +++ b/queue-3.10/tpm-missing-tpm_chip_put-in-tpm_get_random.patch @@ -0,0 +1,48 @@ +From 3e14d83ef94a5806a865b85b513b4e891923c19b Mon Sep 17 00:00:00 2001 +From: Jarkko Sakkinen +Date: Fri, 9 May 2014 14:23:10 +0300 +Subject: tpm: missing tpm_chip_put in tpm_get_random() + +From: Jarkko Sakkinen + +commit 3e14d83ef94a5806a865b85b513b4e891923c19b upstream. + +Regression in 41ab999c. Call to tpm_chip_put is missing. This +will cause TPM device driver not to unload if tmp_get_random() +is called. + +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Peter Huewe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tpm/tpm.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/char/tpm/tpm.c ++++ b/drivers/char/tpm/tpm.c +@@ -1423,13 +1423,13 @@ int tpm_get_random(u32 chip_num, u8 *out + int err, total = 0, retries = 5; + u8 *dest = out; + ++ if (!out || !num_bytes || max > TPM_MAX_RNG_DATA) ++ return -EINVAL; ++ + chip = tpm_chip_find_get(chip_num); + if (chip == NULL) + return -ENODEV; + +- if (!out || !num_bytes || max > TPM_MAX_RNG_DATA) +- return -EINVAL; +- + do { + tpm_cmd.header.in = tpm_getrandom_header; + tpm_cmd.params.getrandom_in.num_bytes = cpu_to_be32(num_bytes); +@@ -1448,6 +1448,7 @@ int tpm_get_random(u32 chip_num, u8 *out + num_bytes -= recd; + } while (retries-- && total < max); + ++ tpm_chip_put(chip); + return total ? total : -EIO; + } + EXPORT_SYMBOL_GPL(tpm_get_random); -- 2.47.3