[{"id":1763127,"web_url":"http://patchwork.ozlabs.org/comment/1763127/","msgid":"<35ff7796-dd16-f6b0-bd2d-a469c1e1f675@canonical.com>","list_archive_url":null,"date":"2017-09-05T09:30:53","subject":"ACK: [Trusty SRU][PATCH 2/2] aio: mark AIO pseudo-fs noexec","submitter":{"id":2900,"url":"http://patchwork.ozlabs.org/api/people/2900/","name":"Colin Ian King","email":"colin.king@canonical.com"},"content":"On 04/09/17 18:54, Kleber Sacilotto de Souza wrote:\n> From: Jann Horn \n> \n> CVE-2016-10044\n> \n> This ensures that do_mmap() won't implicitly make AIO memory mappings\n> executable if the READ_IMPLIES_EXEC personality flag is set. Such\n> behavior is problematic because the security_mmap_file LSM hook doesn't\n> catch this case, potentially permitting an attacker to bypass a W^X\n> policy enforced by SELinux.\n> \n> I have tested the patch on my machine.\n> \n> To test the behavior, compile and run this:\n> \n> #define _GNU_SOURCE\n> #include \n> #include \n> #include \n> #include \n> #include \n> #include \n> #include \n> \n> int main(void) {\n> personality(READ_IMPLIES_EXEC);\n> aio_context_t ctx = 0;\n> if (syscall(__NR_io_setup, 1, &ctx))\n> err(1, \"io_setup\");\n> \n> char cmd[1000];\n> sprintf(cmd, \"cat /proc/%d/maps | grep -F '/[aio]'\",\n> (int)getpid());\n> system(cmd);\n> return 0;\n> }\n> \n> In the output, \"rw-s\" is good, \"rwxs\" is bad.\n> \n> Signed-off-by: Jann Horn \n> Signed-off-by: Linus Torvalds \n> (backported from commit 22f6b4d34fcf039c63a94e7670e0da24f8575a5a)\n> [kleber: replaced the inline magic number by the macro AIO_RING_MAGIC,\n> as done by 8dc4379e17cddad7b2088a3f300ded50d2a6d493 mainline]\n> Signed-off-by: Kleber Sacilotto de Souza \n> ---\n> fs/aio.c | 7 ++++++-\n> 1 file changed, 6 insertions(+), 1 deletion(-)\n> \n> diff --git a/fs/aio.c b/fs/aio.c\n> index db7adacb5543..8dd68431ff62 100644\n> --- a/fs/aio.c\n> +++ b/fs/aio.c\n> @@ -208,7 +208,12 @@ static struct dentry *aio_mount(struct file_system_type *fs_type,\n> \tstatic const struct dentry_operations ops = {\n> \t\t.d_dname\t= simple_dname,\n> \t};\n> -\treturn mount_pseudo(fs_type, \"aio:\", NULL, &ops, 0xa10a10a1);\n> +\tstruct dentry *root = mount_pseudo(fs_type, \"aio:\", NULL, &ops,\n> +\t\t\t\t\t AIO_RING_MAGIC);\n> +\n> +\tif (!IS_ERR(root))\n> +\t\troot->d_sb->s_iflags |= SB_I_NOEXEC;\n> +\treturn root;\n> }\n> \n> /* aio_setup\n> \nLooks good to me\n\nAcked-by: Colin Ian King ","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com\n\t(client-ip=91.189.94.19; helo=huckleberry.canonical.com;\n\tenvelope-from=kernel-team-bounces@lists.ubuntu.com;\n\treceiver=)","Received":["from huckleberry.canonical.com (huckleberry.canonical.com\n\t[91.189.94.19])\n\tby ozlabs.org (Postfix) with ESMTP id 3xmhKZ4yf5z9s0g;\n\tTue, 5 Sep 2017 19:30:58 +1000 (AEST)","from localhost ([127.0.0.1] helo=huckleberry.canonical.com)\n\tby huckleberry.canonical.com with esmtp (Exim 4.86_2)\n\t(envelope-from )\n\tid 1dpAC7-0001rv-8M; Tue, 05 Sep 2017 09:30:55 +0000","from youngberry.canonical.com ([91.189.89.112])\n\tby huckleberry.canonical.com with esmtps\n\t(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)\n\t(Exim 4.86_2) (envelope-from )\n\tid 1dpAC6-0001rV-6c\n\tfor kernel-team@lists.ubuntu.com; Tue, 05 Sep 2017 09:30:54 +0000","from 1.general.cking.uk.vpn ([10.172.193.212])\n\tby youngberry.canonical.com with esmtpsa\n\t(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)\n\t(Exim 4.76) (envelope-from )\n\tid 1dpAC5-0004E0-T6; Tue, 05 Sep 2017 09:30:53 +0000"],"Subject":"ACK: [Trusty SRU][PATCH 2/2] aio: mark AIO pseudo-fs noexec","To":"kernel-team@lists.ubuntu.com","References":"<20170904175434.7071-1-kleber.souza@canonical.com>\n\t<20170904175434.7071-3-kleber.souza@canonical.com>","From":"Colin Ian King ","Message-ID":"<35ff7796-dd16-f6b0-bd2d-a469c1e1f675@canonical.com>","Date":"Tue, 5 Sep 2017 10:30:53 +0100","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101\n\tThunderbird/45.8.0","MIME-Version":"1.0","In-Reply-To":"<20170904175434.7071-3-kleber.souza@canonical.com>","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions ","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" "}},{"id":1763141,"web_url":"http://patchwork.ozlabs.org/comment/1763141/","msgid":"<20170905094425.kcbp6njqnbx5riq7@calabresa>","list_archive_url":null,"date":"2017-09-05T09:44:26","subject":"ACK: [Trusty SRU][PATCH 0/2] Fix for CVE-2016-10044","submitter":{"id":70574,"url":"http://patchwork.ozlabs.org/api/people/70574/","name":"Thadeu Lima de Souza Cascardo","email":"cascardo@canonical.com"},"content":"Acked-by: Thadeu Lima de Souza Cascardo ","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com\n\t(client-ip=91.189.94.19; helo=huckleberry.canonical.com;\n\tenvelope-from=kernel-team-bounces@lists.ubuntu.com;\n\treceiver=)","Received":["from huckleberry.canonical.com (huckleberry.canonical.com\n\t[91.189.94.19])\n\tby ozlabs.org (Postfix) with ESMTP id 3xmhdM2fM1z9s76;\n\tTue, 5 Sep 2017 19:44:39 +1000 (AEST)","from localhost ([127.0.0.1] helo=huckleberry.canonical.com)\n\tby huckleberry.canonical.com with esmtp (Exim 4.86_2)\n\t(envelope-from )\n\tid 1dpAPK-00032c-GO; Tue, 05 Sep 2017 09:44:34 +0000","from youngberry.canonical.com ([91.189.89.112])\n\tby huckleberry.canonical.com with esmtps\n\t(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)\n\t(Exim 4.86_2) (envelope-from )\n\tid 1dpAPG-00032T-G9\n\tfor kernel-team@lists.ubuntu.com; Tue, 05 Sep 2017 09:44:30 +0000","from 1.general.cascardo.us.vpn ([10.172.70.58] helo=calabresa)\n\tby youngberry.canonical.com with esmtpsa\n\t(TLS1.0:RSA_AES_256_CBC_SHA1:32)\n\t(Exim 4.76) (envelope-from )\n\tid 1dpAPF-0004md-QE; Tue, 05 Sep 2017 09:44:30 +0000"],"Date":"Tue, 5 Sep 2017 06:44:26 -0300","From":"Thadeu Lima de Souza Cascardo ","To":"Kleber Sacilotto de Souza ","Subject":"ACK: [Trusty SRU][PATCH 0/2] Fix for CVE-2016-10044","Message-ID":"<20170905094425.kcbp6njqnbx5riq7@calabresa>","References":"<20170904175434.7071-1-kleber.souza@canonical.com>","MIME-Version":"1.0","Content-Disposition":"inline","In-Reply-To":"<20170904175434.7071-1-kleber.souza@canonical.com>","User-Agent":"NeoMutt/20170113 (1.7.2)","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions ","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Cc":"kernel-team@lists.ubuntu.com","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" "}},{"id":1763390,"web_url":"http://patchwork.ozlabs.org/comment/1763390/","msgid":"<17f5df8b-4336-ed0f-137a-77c47e2e7b40@canonical.com>","list_archive_url":null,"date":"2017-09-05T14:14:28","subject":"APPLIED: [Trusty SRU][PATCH 0/2] Fix for CVE-2016-10044","submitter":{"id":71419,"url":"http://patchwork.ozlabs.org/api/people/71419/","name":"Kleber Sacilotto de Souza","email":"kleber.souza@canonical.com"},"content":"Applied to trusty/master-next branch. Thanks.","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com\n\t(client-ip=91.189.94.19; helo=huckleberry.canonical.com;\n\tenvelope-from=kernel-team-bounces@lists.ubuntu.com;\n\treceiver=)","Received":["from huckleberry.canonical.com (huckleberry.canonical.com\n\t[91.189.94.19])\n\tby ozlabs.org (Postfix) with ESMTP id 3xmpcs3nLhz9t2m;\n\tWed, 6 Sep 2017 00:14:37 +1000 (AEST)","from localhost ([127.0.0.1] helo=huckleberry.canonical.com)\n\tby huckleberry.canonical.com with esmtp (Exim 4.86_2)\n\t(envelope-from )\n\tid 1dpEcZ-0007YO-RY; Tue, 05 Sep 2017 14:14:31 +0000","from youngberry.canonical.com ([91.189.89.112])\n\tby huckleberry.canonical.com with esmtps\n\t(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)\n\t(Exim 4.86_2) (envelope-from )\n\tid 1dpEcZ-0007YH-7Q\n\tfor kernel-team@lists.ubuntu.com; Tue, 05 Sep 2017 14:14:31 +0000","from mail-wm0-f71.google.com ([74.125.82.71])\n\tby youngberry.canonical.com with esmtps\n\t(TLS1.0:RSA_AES_128_CBC_SHA1:16)\n\t(Exim 4.76) (envelope-from )\n\tid 1dpEcZ-00034h-0E\n\tfor kernel-team@lists.ubuntu.com; Tue, 05 Sep 2017 14:14:31 +0000","by mail-wm0-f71.google.com with SMTP id l19so4193245wmi.1\n\tfor ;\n\tTue, 05 Sep 2017 07:14:30 -0700 (PDT)","from [192.168.0.8] (ip5f5bd015.dynamic.kabel-deutschland.de.\n\t[95.91.208.21]) by smtp.gmail.com with ESMTPSA id\n\to50sm327818edo.70.2017.09.05.07.14.28\n\tfor \n\t(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);\n\tTue, 05 Sep 2017 07:14:29 -0700 (PDT)"],"X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:subject:from:to:references:message-id:date\n\t:user-agent:mime-version:in-reply-to:content-language\n\t:content-transfer-encoding;\n\tbh=+gEGoJyqD03JW2xAT1GWEuKon3IBpN8wxoVyrjnm60k=;\n\tb=I0AfT7UssiP+eOarYwtRzi78XFL/u+YWpeaVGe2NAg0P/UEPqTfd+acVb2syvpn7FX\n\tBw7INF8KoL9/5/M0YBpLVRPd7mFckWrqbgNKCKEakUlRyTgo2VAh6XPM62arH/n5ZXjv\n\t/SwaYt8yHTaohnPxQmVcq79YwiQlaH/1yU2iFN7Nxpt1hsA8W1yQWFKHC9svwj1hN1M6\n\tWQc4PllUcVjohU6cwjtDYylivL6617dwOIKHC0F7tlrAzEZj+/jYtlJWR+s5MuYEhvd7\n\trchs5AIgBpaBlhGKCUnJ/4vURPuaeCW9MnKoIrFBQnV92Ohpw6K6AXuFSk0JbTTwmTU7\n\t+SzQ==","X-Gm-Message-State":"AHPjjUj+wJOHhZTpPKfW0ORKh4fjrTcBaGtLQ3R3OFYNQJ8EUcjR3+44\n\tPscOpHPmCE46qJ/F/w1mXDBd68VhMNAIVF+3UyYvzjrlLxISeMxTLcRDJc2sp4KkmpR1Y0cBy4+\n\tBLc268mhmn1rPWPfUff1Jv3TTIpM+TvZq","X-Received":["by 10.80.180.184 with SMTP id w53mr3383046edd.176.1504620870436; \n\tTue, 05 Sep 2017 07:14:30 -0700 (PDT)","by 10.80.180.184 with SMTP id w53mr3383041edd.176.1504620870293; \n\tTue, 05 Sep 2017 07:14:30 -0700 (PDT)"],"X-Google-Smtp-Source":"ADKCNb7Hz/IJcKLyP55Mbhk5e7WKAXkygOTHuSQQOzoalSohLZwjiPNP9UQkcnyaHO/ykDMl+KioWQ==","Subject":"APPLIED: [Trusty SRU][PATCH 0/2] Fix for CVE-2016-10044","From":"Kleber Souza ","To":"kernel-team@lists.ubuntu.com","References":"<20170904175434.7071-1-kleber.souza@canonical.com>","Message-ID":"<17f5df8b-4336-ed0f-137a-77c47e2e7b40@canonical.com>","Date":"Tue, 5 Sep 2017 16:14:28 +0200","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101\n\tThunderbird/52.2.1","MIME-Version":"1.0","In-Reply-To":"<20170904175434.7071-1-kleber.souza@canonical.com>","Content-Language":"en-US","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions ","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" "}}]