From patchwork Thu Aug 11 19:18:44 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tim Gardner <tim.gardner@canonical.com>
X-Patchwork-Id: 109665
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from chlorine.canonical.com (chlorine.canonical.com
	[91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id 81F7BB6F76
	for <incoming@patchwork.ozlabs.org>;
	Fri, 12 Aug 2011 05:19:12 +1000 (EST)
Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com)
	by chlorine.canonical.com with esmtp (Exim 4.71)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1QramP-00027G-PP; Thu, 11 Aug 2011 19:18:57 +0000
Received: from mail.tpi.com ([70.99.223.143])
	by chlorine.canonical.com with esmtp (Exim 4.71)
	(envelope-from <tim.gardner@canonical.com>) id 1QramN-000278-3y
	for kernel-team@lists.ubuntu.com; Thu, 11 Aug 2011 19:18:55 +0000
Received: from sepang.rtg.net (mail.tpi.com [70.99.223.143])
	by mail.tpi.com (Postfix) with ESMTP id 28BEA2E05DE;
	Thu, 11 Aug 2011 12:18:10 -0700 (PDT)
Received: from [127.0.0.1] (lochsa [127.0.0.1])
	by sepang.rtg.net (Postfix) with ESMTP id CCB44F89F8;
	Thu, 11 Aug 2011 13:18:44 -0600 (MDT)
Message-ID: <4E442B14.5000401@canonical.com>
Date: Thu, 11 Aug 2011 13:18:44 -0600
From: Tim Gardner <tim.gardner@canonical.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US;
	rv:1.9.2.18) Gecko/20110617 Thunderbird/3.1.11
MIME-Version: 1.0
To: John Johansen <john.johansen@canonical.com>
Subject: Re: [PATCH 1/2] [maverick CVE 1/2] Add mount option to check uid
	of device being mounted = expect uid
References: <1313048384-22901-1-git-send-email-john.johansen@canonical.com>
	<1313048881-23568-1-git-send-email-john.johansen@canonical.com>
	<20110811133353.GA12580@shadowen.org>
	<4E4408EB.6030908@canonical.com>
In-Reply-To: <4E4408EB.6030908@canonical.com>
Cc: Andy Whitcroft <apw@canonical.com>, kernel-team@lists.ubuntu.com
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Sender: kernel-team-bounces@lists.ubuntu.com
Errors-To: kernel-team-bounces@lists.ubuntu.com

How about this?
Acked-by: John Johansen <john.johansen@canonical.com>

From 5a90787578603c7207dfc1be2dad5f09780bbae8 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Thu, 11 Aug 2011 00:48:00 -0700
Subject: [PATCH] Add mount option to check uid of device being mounted = expect uid, CVE-2011-1833

Close a TOCTOU race for mounts done via ecryptfs-mount-private.  The mount
source (device) can be raced when the ownership test is done in userspace.
Provide Ecryptfs a means to force the uid check at mount time.

(backported from commit 764355487ea220fdc2faf128d577d7f679b91f97)
CVE-2011-1833
BugLink: http://bugs.launchpad.net/bugs/732628

Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
---
 fs/ecryptfs/main.c |   29 ++++++++++++++++++++++++-----
 1 files changed, 24 insertions(+), 5 deletions(-)

diff --git a/fs/ecryptfs/main.c b/fs/ecryptfs/main.c
index cbd4e18..d5581f6 100644
--- a/fs/ecryptfs/main.c
+++ b/fs/ecryptfs/main.c
@@ -208,7 +208,8 @@ enum { ecryptfs_opt_sig, ecryptfs_opt_ecryptfs_sig,
        ecryptfs_opt_passthrough, ecryptfs_opt_xattr_metadata,
        ecryptfs_opt_encrypted_view, ecryptfs_opt_fnek_sig,
        ecryptfs_opt_fn_cipher, ecryptfs_opt_fn_cipher_key_bytes,
-       ecryptfs_opt_unlink_sigs, ecryptfs_opt_err };
+       ecryptfs_opt_unlink_sigs, ecryptfs_opt_check_dev_ruid,
+       ecryptfs_opt_err };
 
 static const match_table_t tokens = {
 	{ecryptfs_opt_sig, "sig=%s"},
@@ -223,6 +224,7 @@ static const match_table_t tokens = {
 	{ecryptfs_opt_fn_cipher, "ecryptfs_fn_cipher=%s"},
 	{ecryptfs_opt_fn_cipher_key_bytes, "ecryptfs_fn_key_bytes=%u"},
 	{ecryptfs_opt_unlink_sigs, "ecryptfs_unlink_sigs"},
+	{ecryptfs_opt_check_dev_ruid, "ecryptfs_check_dev_ruid"},
 	{ecryptfs_opt_err, NULL}
 };
 
@@ -266,6 +268,7 @@ static void ecryptfs_init_mount_crypt_stat(
  * ecryptfs_parse_options
  * @sb: The ecryptfs super block
  * @options: The options pased to the kernel
+ * @check_ruid: set to 1 if device uid should be checked against the ruid
  *
  * Parse mount options:
  * debug=N 	   - ecryptfs_verbosity level for debug output
@@ -281,7 +284,8 @@ static void ecryptfs_init_mount_crypt_stat(
  *
  * Returns zero on success; non-zero on error
  */
-static int ecryptfs_parse_options(struct ecryptfs_sb_info *sbi, char *options)
+static int ecryptfs_parse_options(struct ecryptfs_sb_info *sbi, char *options,
+				  uid_t *check_ruid)
 {
 	char *p;
 	int rc = 0;
@@ -306,6 +310,8 @@ static int ecryptfs_parse_options(struct ecryptfs_sb_info *sbi, char *options)
 	char *cipher_key_bytes_src;
 	char *fn_cipher_key_bytes_src;
 
+	*check_ruid = 0;
+
 	if (!options) {
 		rc = -EINVAL;
 		goto out;
@@ -406,6 +412,9 @@ static int ecryptfs_parse_options(struct ecryptfs_sb_info *sbi, char *options)
 		case ecryptfs_opt_unlink_sigs:
 			mount_crypt_stat->flags |= ECRYPTFS_UNLINK_SIGS;
 			break;
+		case ecryptfs_opt_check_dev_ruid:
+			*check_ruid = 1;
+			break;
 		case ecryptfs_opt_err:
 		default:
 			printk(KERN_WARNING
@@ -494,7 +503,7 @@ static struct file_system_type ecryptfs_fs_type;
  * ecryptfs_interpose to create our initial inode and super block
  * struct.
  */
-static int ecryptfs_read_super(struct super_block *sb, const char *dev_name)
+static int ecryptfs_read_super(struct super_block *sb, const char *dev_name, uid_t check_ruid)
 {
 	struct path path;
 	int rc;
@@ -511,6 +520,15 @@ static int ecryptfs_read_super(struct super_block *sb, const char *dev_name)
 			"known incompatibilities\n");
 		goto out_free;
 	}
+
+	if (check_ruid && path.dentry->d_inode->i_uid != current_uid()) {
+		rc = -EPERM;
+		printk(KERN_ERR "Mount of device (uid: %d) not owned by "
+		       "requested user (uid: %d)\n",
+		       path.dentry->d_inode->i_uid, current_uid());
+		goto out_free;
+	}
+
 	ecryptfs_set_superblock_lower(sb, path.dentry->d_sb);
 	sb->s_maxbytes = path.dentry->d_sb->s_maxbytes;
 	sb->s_blocksize = path.dentry->d_sb->s_blocksize;
@@ -549,6 +567,7 @@ static int ecryptfs_get_sb(struct file_system_type *fs_type, int flags,
 	struct ecryptfs_dentry_info *root_info;
 	const char *err = "Getting sb failed";
 	int rc;
+	uid_t check_ruid;
 
 	sbi = kmem_cache_zalloc(ecryptfs_sb_info_cache, GFP_KERNEL);
 	if (!sbi) {
@@ -556,7 +575,7 @@ static int ecryptfs_get_sb(struct file_system_type *fs_type, int flags,
 		goto out;
 	}
 
-	rc = ecryptfs_parse_options(sbi, raw_data);
+	rc = ecryptfs_parse_options(sbi, raw_data, &check_ruid);
 	if (rc) {
 		err = "Error parsing options";
 		goto out;
@@ -601,7 +620,7 @@ static int ecryptfs_get_sb(struct file_system_type *fs_type, int flags,
 	/* ->kill_sb() will take care of root_info */
 	ecryptfs_set_dentry_private(s->s_root, root_info);
 	s->s_flags |= MS_ACTIVE;
-	rc = ecryptfs_read_super(s, dev_name);
+	rc = ecryptfs_read_super(s, dev_name, check_ruid);
 	if (rc) {
 		deactivate_locked_super(s);
 		err = "Reading sb failed";
-- 
1.7.0.4