rpms/kernel/F-12 ext4-fix-insufficient-checks-in-EXT4_IOC_MOVE_EXT.patch, NONE, 1.1 kernel.spec, 1.1951, 1.1952

Kyle McMartin kyle at fedoraproject.org
Wed Dec 9 14:29:02 UTC 2009 

Author: kyle

Update of /cvs/pkgs/rpms/kernel/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv5652

Modified Files:
	kernel.spec 
Added Files:
	ext4-fix-insufficient-checks-in-EXT4_IOC_MOVE_EXT.patch 
Log Message:
* Wed Dec 09 2009 Kyle McMartin <kyle at redhat.com> 2.6.31.6-166
- ext4-fix-insufficient-checks-in-EXT4_IOC_MOVE_EXT.patch: CVE-2009-4131
  fix insufficient permission checking which could result in arbitrary
  data corruption by a local unprivileged user.


ext4-fix-insufficient-checks-in-EXT4_IOC_MOVE_EXT.patch:
 ioctl.c       |   33 ++++++++++++++++++++-------------
 move_extent.c |    7 +++++++
 2 files changed, 27 insertions(+), 13 deletions(-)

--- NEW FILE ext4-fix-insufficient-checks-in-EXT4_IOC_MOVE_EXT.patch ---
>From 910123ba363623f15ffb5d05dd87bdf06d08c609 Mon Sep 17 00:00:00 2001
From: Akira Fujita <a-fujita at rs.jp.nec.com>
Date: Sun, 6 Dec 2009 23:38:31 -0500
Subject: [PATCH] ext4: Fix insufficient checks in EXT4_IOC_MOVE_EXT

This patch fixes three problems in the handling of the
EXT4_IOC_MOVE_EXT ioctl:

1. In current EXT4_IOC_MOVE_EXT, there are read access mode checks for
original and donor files, but they allow the illegal write access to
donor file, since donor file is overwritten by original file data.  To
fix this problem, change access mode checks of original (r->r/w) and
donor (r->w) files.

2.  Disallow the use of donor files that have a setuid or setgid bits.

3.  Call mnt_want_write() and mnt_drop_write() before and after
ext4_move_extents() calling to get write access to a mount.

Signed-off-by: Akira Fujita <a-fujita at rs.jp.nec.com>
Signed-off-by: "Theodore Ts'o" <tytso at mit.edu>
---

 fs/ext4/ioctl.c       |   28 ++++++++++++++++++----------
 fs/ext4/move_extent.c |    7 +++++++
 2 files changed, 25 insertions(+), 10 deletions(-)

diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c
index 7050a9c..f5b1d3c 100644
--- a/fs/ext4/ioctl.c
+++ b/fs/ext4/ioctl.c
@@ -221,32 +221,39 @@ setversion_out:
 		struct file *donor_filp;
 		int err;
 
+		if (!(filp->f_mode & FMODE_READ) ||
+		    !(filp->f_mode & FMODE_WRITE))
+			return -EBADF;
+
 		if (copy_from_user(&me,
 			(struct move_extent __user *)arg, sizeof(me)))
 			return -EFAULT;
+		me.moved_len = 0;
 
 		donor_filp = fget(me.donor_fd);
 		if (!donor_filp)
 			return -EBADF;
 
-		if (!capable(CAP_DAC_OVERRIDE)) {
-			if ((current->real_cred->fsuid != inode->i_uid) ||
-				!(inode->i_mode & S_IRUSR) ||
-				!(donor_filp->f_dentry->d_inode->i_mode &
-				S_IRUSR)) {
-				fput(donor_filp);
-				return -EACCES;
-			}
+		if (!(donor_filp->f_mode & FMODE_WRITE)) {
+			err = -EBADF;
+			goto mext_out;
 		}
 
+		err = mnt_want_write(filp->f_path.mnt);
+		if (err)
+			goto mext_out;
+
 		err = ext4_move_extents(filp, donor_filp, me.orig_start,
 					me.donor_start, me.len, &me.moved_len);
-		fput(donor_filp);
+		mnt_drop_write(filp->f_path.mnt);
+		if (me.moved_len > 0)
+			file_remove_suid(donor_filp);
 
-		if (!err)
-			if (copy_to_user((struct move_extent *)arg,
-				&me, sizeof(me)))
-				return -EFAULT;
+		if (copy_to_user((struct move_extent *)arg, &me, sizeof(me)))
+			err = -EFAULT;
+
+mext_out:
+		fput(donor_filp);
 		return err;
 	}
 
diff --git a/fs/ext4/move_extent.c b/fs/ext4/move_extent.c
index bbf2dd9..c5250b5 100644
--- a/fs/ext4/move_extent.c
+++ b/fs/ext4/move_extent.c
@@ -905,6 +905,13 @@ mext_check_arguments(struct inode *orig_inode,
 		return -EINVAL;
 	}
 
+	if (donor_inode->i_mode & (S_ISUID|S_ISGID)) {
+		ext4_debug("ext4 move extent: suid or sgid is set"
+			   " to donor file [ino:orig %lu, donor %lu]\n",
+			   orig_inode->i_ino, donor_inode->i_ino);
+		return -EINVAL;
+	}
+
 	/* Ext4 move extent does not support swapfile */
 	if (IS_SWAPFILE(orig_inode) || IS_SWAPFILE(donor_inode)) {
 		ext4_debug("ext4 move extent: The argument files should "


Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-12/kernel.spec,v
retrieving revision 1.1951
retrieving revision 1.1952
diff -u -p -r1.1951 -r1.1952
--- kernel.spec	8 Dec 2009 12:57:07 -0000	1.1951
+++ kernel.spec	9 Dec 2009 14:29:02 -0000	1.1952
@@ -812,6 +812,9 @@ Patch14463: dlm-fix-connection-close-han
 # rhbz#544144 [bbf31bf18d34caa87dd01f08bf713635593697f2]
 Patch14464: ipv4-fix-null-ptr-deref-in-ip_fragment.patch
 
+# rhbz#544471
+Patch14465: ext4-fix-insufficient-checks-in-EXT4_IOC_MOVE_EXT.patch
+
 %endif
 
 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1518,6 +1521,9 @@ ApplyPatch dlm-fix-connection-close-hand
 # rhbz#544144
 ApplyPatch ipv4-fix-null-ptr-deref-in-ip_fragment.patch
 
+# rhbz#544471
+ApplyPatch ext4-fix-insufficient-checks-in-EXT4_IOC_MOVE_EXT.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2167,6 +2173,11 @@ fi
 # and build.
 
 %changelog
+* Wed Dec 09 2009 Kyle McMartin <kyle at redhat.com> 2.6.31.6-166
+- ext4-fix-insufficient-checks-in-EXT4_IOC_MOVE_EXT.patch: CVE-2009-4131
+  fix insufficient permission checking which could result in arbitrary
+  data corruption by a local unprivileged user.
+
 * Tue Dec  8 2009 Steve Dickson <steved at redhat.com> 2.6.31.6-165
 - nfsd: Updated to latest pseudo root code fixing rhbz# 538609

More information about the scm-commits mailing list