rpms/kernel/F-9 linux-2.6-wan-missing-capability-checks-in-sbni_ioctl.patch, NONE, 1.1 kernel.spec, 1.805, 1.806

Chuck Ebbert cebbert at fedoraproject.org
Fri Oct 17 18:00:37 UTC 2008 

Author: cebbert

Update of /cvs/pkgs/rpms/kernel/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv22083

Modified Files:
	kernel.spec 
Added Files:
	linux-2.6-wan-missing-capability-checks-in-sbni_ioctl.patch 
Log Message:
Fix IOCTL permission checking in sbni WAN adapter (CVE-2008-3525).

linux-2.6-wan-missing-capability-checks-in-sbni_ioctl.patch:

--- NEW FILE linux-2.6-wan-missing-capability-checks-in-sbni_ioctl.patch ---
From: Eugene Teo <eugeneteo at kernel.sg>
Date: Wed, 27 Aug 2008 11:50:30 +0000 (-0700)
Subject: wan: Missing capability checks in sbni_ioctl()
X-Git-Tag: v2.6.27-rc5~8^2~2
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=f2455eb176ac87081bbfc9a44b21c7cd2bc1967e

wan: Missing capability checks in sbni_ioctl()

There are missing capability checks in the following code:

1300 static int
1301 sbni_ioctl( struct net_device  *dev,  struct ifreq  *ifr,  int  cmd)
1302 {
[...]
1319     case  SIOCDEVRESINSTATS :
1320         if( current->euid != 0 )    /* root only */
1321             return  -EPERM;
[...]
1336     case  SIOCDEVSHWSTATE :
1337         if( current->euid != 0 )    /* root only */
1338             return  -EPERM;
[...]
1357     case  SIOCDEVENSLAVE :
1358         if( current->euid != 0 )    /* root only */
1359             return  -EPERM;
[...]
1372     case  SIOCDEVEMANSIPATE :
1373         if( current->euid != 0 )    /* root only */
1374             return  -EPERM;

Here's my proposed fix:

Missing capability checks.

CVE-2008-3525

Signed-off-by: Eugene Teo <eugeneteo at kernel.sg>
Signed-off-by: David S. Miller <davem at davemloft.net>
---

diff --git a/drivers/net/wan/sbni.c b/drivers/net/wan/sbni.c
index e59255a..6596cd0 100644
--- a/drivers/net/wan/sbni.c
+++ b/drivers/net/wan/sbni.c
@@ -1317,7 +1317,7 @@ sbni_ioctl( struct net_device  *dev,  struct ifreq  *ifr,  int  cmd )
 		break;
 
 	case  SIOCDEVRESINSTATS :
-		if( current->euid != 0 )	/* root only */
+		if (!capable(CAP_NET_ADMIN))
 			return  -EPERM;
 		memset( &nl->in_stats, 0, sizeof(struct sbni_in_stats) );
 		break;
@@ -1334,7 +1334,7 @@ sbni_ioctl( struct net_device  *dev,  struct ifreq  *ifr,  int  cmd )
 		break;
 
 	case  SIOCDEVSHWSTATE :
-		if( current->euid != 0 )	/* root only */
+		if (!capable(CAP_NET_ADMIN))
 			return  -EPERM;
 
 		spin_lock( &nl->lock );
@@ -1355,7 +1355,7 @@ sbni_ioctl( struct net_device  *dev,  struct ifreq  *ifr,  int  cmd )
 #ifdef CONFIG_SBNI_MULTILINE
 
 	case  SIOCDEVENSLAVE :
-		if( current->euid != 0 )	/* root only */
+		if (!capable(CAP_NET_ADMIN))
 			return  -EPERM;
 
 		if (copy_from_user( slave_name, ifr->ifr_data, sizeof slave_name ))
@@ -1370,7 +1370,7 @@ sbni_ioctl( struct net_device  *dev,  struct ifreq  *ifr,  int  cmd )
 		return  enslave( dev, slave_dev );
 
 	case  SIOCDEVEMANSIPATE :
-		if( current->euid != 0 )	/* root only */
+		if (!capable(CAP_NET_ADMIN))
 			return  -EPERM;
 
 		return  emancipate( dev );


Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-9/kernel.spec,v
retrieving revision 1.805
retrieving revision 1.806
diff -u -r1.805 -r1.806
--- kernel.spec	17 Oct 2008 17:50:02 -0000	1.805
+++ kernel.spec	17 Oct 2008 18:00:07 -0000	1.806
@@ -744,7 +744,11 @@
 
 # backported version of http://git.kernel.org/?p=linux/kernel/git/davem/sparc-2.6.git;a=commitdiff;h=73ccefab8a6590bb3d5b44c046010139108ab7ca
 # needed to build sparc64 kernel
-Patch2900: linux-sparc-tracehook-syscall.patch
+Patch3000: linux-sparc-tracehook-syscall.patch
+
+# fix IOCTL security in sbni driver
+Patch3100: linux-2.6-wan-missing-capability-checks-in-sbni_ioctl.patch
+
 %endif
 
 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1357,6 +1361,10 @@
 
 # backport syscall tracing to use the new tracehook.h entry points.
 ApplyPatch linux-sparc-tracehook-syscall.patch
+
+# CVE-2008-3525
+ApplyPatch linux-2.6-wan-missing-capability-checks-in-sbni_ioctl.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -1950,6 +1958,9 @@
 %kernel_variant_files -a /%{image_install_path}/xen*-%{KVERREL}.xen -e /etc/ld.so.conf.d/kernelcap-%{KVERREL}.xen.conf %{with_xen} xen
 
 %changelog
+* Fri Oct 17 2008 Chuck Ebbert <cebbert at redhat.com> 2.6.26.6-79
+- Fix IOCTL permission checking in sbni WAN adapter (CVE-2008-3525).
+
 * Fri Oct 17 2008 Chuck Ebbert <cebbert at redhat.com> 2.6.26.6-78
 - DRM: fix ioctl security issue (CVE-2008-3831).

More information about the scm-commits mailing list