From: Greg Kroah-Hartman Date: Thu, 12 Jun 2014 22:57:43 +0000 (-0700) Subject: 3.15-stable patches X-Git-Tag: v3.4.94~9 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b60f9da6932ea7524ceecbb1a92a2389fa7b1a7e;p=thirdparty%2Fkernel%2Fstable-queue.git 3.15-stable patches added patches: auditsc-audit_krule-mask-accesses-need-bounds-checking.patch --- diff --git a/queue-3.15/auditsc-audit_krule-mask-accesses-need-bounds-checking.patch b/queue-3.15/auditsc-audit_krule-mask-accesses-need-bounds-checking.patch new file mode 100644 index 00000000000..1081c919ea6 --- /dev/null +++ b/queue-3.15/auditsc-audit_krule-mask-accesses-need-bounds-checking.patch @@ -0,0 +1,85 @@ +From a3c54931199565930d6d84f4c3456f6440aefd41 Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Wed, 28 May 2014 23:09:58 -0400 +Subject: auditsc: audit_krule mask accesses need bounds checking + +From: Andy Lutomirski + +commit a3c54931199565930d6d84f4c3456f6440aefd41 upstream. + +Fixes an easy DoS and possible information disclosure. + +This does nothing about the broken state of x32 auditing. + +eparis: If the admin has enabled auditd and has specifically loaded +audit rules. This bug has been around since before git. Wow... + +Signed-off-by: Andy Lutomirski +Signed-off-by: Eric Paris +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/auditsc.c | 27 ++++++++++++++++++--------- + 1 file changed, 18 insertions(+), 9 deletions(-) + +--- a/kernel/auditsc.c ++++ b/kernel/auditsc.c +@@ -728,6 +728,22 @@ static enum audit_state audit_filter_tas + return AUDIT_BUILD_CONTEXT; + } + ++static int audit_in_mask(const struct audit_krule *rule, unsigned long val) ++{ ++ int word, bit; ++ ++ if (val > 0xffffffff) ++ return false; ++ ++ word = AUDIT_WORD(val); ++ if (word >= AUDIT_BITMASK_SIZE) ++ return false; ++ ++ bit = AUDIT_BIT(val); ++ ++ return rule->mask[word] & bit; ++} ++ + /* At syscall entry and exit time, this filter is called if the + * audit_state is not low enough that auditing cannot take place, but is + * also not high enough that we already know we have to write an audit +@@ -745,11 +761,8 @@ static enum audit_state audit_filter_sys + + rcu_read_lock(); + if (!list_empty(list)) { +- int word = AUDIT_WORD(ctx->major); +- int bit = AUDIT_BIT(ctx->major); +- + list_for_each_entry_rcu(e, list, list) { +- if ((e->rule.mask[word] & bit) == bit && ++ if (audit_in_mask(&e->rule, ctx->major) && + audit_filter_rules(tsk, &e->rule, ctx, NULL, + &state, false)) { + rcu_read_unlock(); +@@ -769,20 +782,16 @@ static enum audit_state audit_filter_sys + static int audit_filter_inode_name(struct task_struct *tsk, + struct audit_names *n, + struct audit_context *ctx) { +- int word, bit; + int h = audit_hash_ino((u32)n->ino); + struct list_head *list = &audit_inode_hash[h]; + struct audit_entry *e; + enum audit_state state; + +- word = AUDIT_WORD(ctx->major); +- bit = AUDIT_BIT(ctx->major); +- + if (list_empty(list)) + return 0; + + list_for_each_entry_rcu(e, list, list) { +- if ((e->rule.mask[word] & bit) == bit && ++ if (audit_in_mask(&e->rule, ctx->major) && + audit_filter_rules(tsk, &e->rule, ctx, n, &state, false)) { + ctx->current_state = state; + return 1; diff --git a/queue-3.15/series b/queue-3.15/series index f82ec47cda3..11772d1f66d 100644 --- a/queue-3.15/series +++ b/queue-3.15/series @@ -1,2 +1,3 @@ fs-userns-change-inode_capable-to-capable_wrt_inode_uidgid.patch lock_parent-don-t-step-on-stale-d_parent-of-all-but-freed-one.patch +auditsc-audit_krule-mask-accesses-need-bounds-checking.patch