[kernel/f19] CVE-2014-1874 SELinux: local denial of service (rhbz 1062356 1062507)
Josh Boyer
jwboyer at fedoraproject.org
Wed Feb 12 14:17:58 UTC 2014
commit 1833232089416756058b86ae20a2f02bf33aa9d5
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date: Wed Feb 12 09:17:10 2014 -0500
CVE-2014-1874 SELinux: local denial of service (rhbz 1062356 1062507)
...Fix-kernel-BUG-on-empty-security-contexts.patch | 116 ++++++++++++++++++++
kernel.spec | 9 ++
2 files changed, 125 insertions(+), 0 deletions(-)
---
diff --git a/SELinux-Fix-kernel-BUG-on-empty-security-contexts.patch b/SELinux-Fix-kernel-BUG-on-empty-security-contexts.patch
new file mode 100644
index 0000000..f747945
--- /dev/null
+++ b/SELinux-Fix-kernel-BUG-on-empty-security-contexts.patch
@@ -0,0 +1,116 @@
+From 2172fa709ab32ca60e86179dc67d0857be8e2c98 Mon Sep 17 00:00:00 2001
+From: Stephen Smalley <sds at tycho.nsa.gov>
+Date: Thu, 30 Jan 2014 11:26:59 -0500
+Subject: [PATCH] SELinux: Fix kernel BUG on empty security contexts.
+
+Setting an empty security context (length=0) on a file will
+lead to incorrectly dereferencing the type and other fields
+of the security context structure, yielding a kernel BUG.
+As a zero-length security context is never valid, just reject
+all such security contexts whether coming from userspace
+via setxattr or coming from the filesystem upon a getxattr
+request by SELinux.
+
+Setting a security context value (empty or otherwise) unknown to
+SELinux in the first place is only possible for a root process
+(CAP_MAC_ADMIN), and, if running SELinux in enforcing mode, only
+if the corresponding SELinux mac_admin permission is also granted
+to the domain by policy. In Fedora policies, this is only allowed for
+specific domains such as livecd for setting down security contexts
+that are not defined in the build host policy.
+
+Reproducer:
+su
+setenforce 0
+touch foo
+setfattr -n security.selinux foo
+
+Caveat:
+Relabeling or removing foo after doing the above may not be possible
+without booting with SELinux disabled. Any subsequent access to foo
+after doing the above will also trigger the BUG.
+
+BUG output from Matthew Thode:
+[ 473.893141] ------------[ cut here ]------------
+[ 473.962110] kernel BUG at security/selinux/ss/services.c:654!
+[ 473.995314] invalid opcode: 0000 [#6] SMP
+[ 474.027196] Modules linked in:
+[ 474.058118] CPU: 0 PID: 8138 Comm: ls Tainted: G D I
+3.13.0-grsec #1
+[ 474.116637] Hardware name: Supermicro X8ST3/X8ST3, BIOS 2.0
+07/29/10
+[ 474.149768] task: ffff8805f50cd010 ti: ffff8805f50cd488 task.ti:
+ffff8805f50cd488
+[ 474.183707] RIP: 0010:[<ffffffff814681c7>] [<ffffffff814681c7>]
+context_struct_compute_av+0xce/0x308
+[ 474.219954] RSP: 0018:ffff8805c0ac3c38 EFLAGS: 00010246
+[ 474.252253] RAX: 0000000000000000 RBX: ffff8805c0ac3d94 RCX:
+0000000000000100
+[ 474.287018] RDX: ffff8805e8aac000 RSI: 00000000ffffffff RDI:
+ffff8805e8aaa000
+[ 474.321199] RBP: ffff8805c0ac3cb8 R08: 0000000000000010 R09:
+0000000000000006
+[ 474.357446] R10: 0000000000000000 R11: ffff8805c567a000 R12:
+0000000000000006
+[ 474.419191] R13: ffff8805c2b74e88 R14: 00000000000001da R15:
+0000000000000000
+[ 474.453816] FS: 00007f2e75220800(0000) GS:ffff88061fc00000(0000)
+knlGS:0000000000000000
+[ 474.489254] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 474.522215] CR2: 00007f2e74716090 CR3: 00000005c085e000 CR4:
+00000000000207f0
+[ 474.556058] Stack:
+[ 474.584325] ffff8805c0ac3c98 ffffffff811b549b ffff8805c0ac3c98
+ffff8805f1190a40
+[ 474.618913] ffff8805a6202f08 ffff8805c2b74e88 00068800d0464990
+ffff8805e8aac860
+[ 474.653955] ffff8805c0ac3cb8 000700068113833a ffff880606c75060
+ffff8805c0ac3d94
+[ 474.690461] Call Trace:
+[ 474.723779] [<ffffffff811b549b>] ? lookup_fast+0x1cd/0x22a
+[ 474.778049] [<ffffffff81468824>] security_compute_av+0xf4/0x20b
+[ 474.811398] [<ffffffff8196f419>] avc_compute_av+0x2a/0x179
+[ 474.843813] [<ffffffff8145727b>] avc_has_perm+0x45/0xf4
+[ 474.875694] [<ffffffff81457d0e>] inode_has_perm+0x2a/0x31
+[ 474.907370] [<ffffffff81457e76>] selinux_inode_getattr+0x3c/0x3e
+[ 474.938726] [<ffffffff81455cf6>] security_inode_getattr+0x1b/0x22
+[ 474.970036] [<ffffffff811b057d>] vfs_getattr+0x19/0x2d
+[ 475.000618] [<ffffffff811b05e5>] vfs_fstatat+0x54/0x91
+[ 475.030402] [<ffffffff811b063b>] vfs_lstat+0x19/0x1b
+[ 475.061097] [<ffffffff811b077e>] SyS_newlstat+0x15/0x30
+[ 475.094595] [<ffffffff8113c5c1>] ? __audit_syscall_entry+0xa1/0xc3
+[ 475.148405] [<ffffffff8197791e>] system_call_fastpath+0x16/0x1b
+[ 475.179201] Code: 00 48 85 c0 48 89 45 b8 75 02 0f 0b 48 8b 45 a0 48
+8b 3d 45 d0 b6 00 8b 40 08 89 c6 ff ce e8 d1 b0 06 00 48 85 c0 49 89 c7
+75 02 <0f> 0b 48 8b 45 b8 4c 8b 28 eb 1e 49 8d 7d 08 be 80 01 00 00 e8
+[ 475.255884] RIP [<ffffffff814681c7>]
+context_struct_compute_av+0xce/0x308
+[ 475.296120] RSP <ffff8805c0ac3c38>
+[ 475.328734] ---[ end trace f076482e9d754adc ]---
+
+Reported-by: Matthew Thode <mthode at mthode.org>
+Signed-off-by: Stephen Smalley <sds at tycho.nsa.gov>
+Cc: stable at vger.kernel.org
+Signed-off-by: Paul Moore <pmoore at redhat.com>
+---
+ security/selinux/ss/services.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
+index fc5a63a..f1e46d7 100644
+--- a/security/selinux/ss/services.c
++++ b/security/selinux/ss/services.c
+@@ -1232,6 +1232,10 @@ static int security_context_to_sid_core(const char *scontext, u32 scontext_len,
+ struct context context;
+ int rc = 0;
+
++ /* An empty security context is never valid. */
++ if (!scontext_len)
++ return -EINVAL;
++
+ if (!ss_initialized) {
+ int i;
+
+--
+1.8.5.3
+
diff --git a/kernel.spec b/kernel.spec
index afd395e..5c44704 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -770,6 +770,9 @@ Patch25185: ath9k_htc-make-sta_rc_update-atomic-for-most-calls.patch
#rhbz 950630
Patch25186: xhci-fix-resume-issues-on-renesas-chips-in-samsung-laptops.patch
+#CVE-2014-1874 rhbz 1062356 1062507
+Patch25188: SELinux-Fix-kernel-BUG-on-empty-security-contexts.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1479,6 +1482,9 @@ ApplyPatch ath9k_htc-make-sta_rc_update-atomic-for-most-calls.patch
#rhbz 950630
ApplyPatch xhci-fix-resume-issues-on-renesas-chips-in-samsung-laptops.patch
+#CVE-2014-1874 rhbz 1062356 1062507
+ApplyPatch SELinux-Fix-kernel-BUG-on-empty-security-contexts.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2291,6 +2297,9 @@ fi
# and build.
%changelog
+* Wed Feb 12 2014 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2014-1874 SELinux: local denial of service (rhbz 1062356 1062507)
+
* Thu Feb 06 2014 Justin M. Forbes <jforbes at fedoraproject.org> - 3.12.10-200
- Linux v3.12.10
More information about the scm-commits
mailing list