| Message ID | 1313048384-22901-2-git-send-email-john.johansen@canonical.com |
|---|---|
| State | New |
| Headers | show |
Looks like this has officially landed upstream in Linus' tree. So I've just cherry-picked from there, inserted the BugLink and CVE to the commit, and have applied to Oneiric master-next. Thanks, Leann On Thu, 2011-08-11 at 00:39 -0700, John Johansen wrote: > Close a TOCTOU race for mounts done via ecryptfs-mount-private. The mount > source (device) can be raced when the ownership test is done in userspace. > Provide Ecryptfs a means to force the uid check at mount time. > > (cherry picked from commit 764355487ea220fdc2faf128d577d7f679b91f97 git://git.kernel.org/pub/scm/linux/kernel/git/ecryptfs/ecryptfs-2.6.git for-linus) > CVE-2011-1833 > BugLink: http://bugs.launchpad.net/bugs/732628 > > Signed-off-by: John Johansen <john.johansen@canonical.com> > --- > fs/ecryptfs/main.c | 23 +++++++++++++++++++++-- > 1 files changed, 21 insertions(+), 2 deletions(-) > > diff --git a/fs/ecryptfs/main.c b/fs/ecryptfs/main.c > index 26faa17..703cda3 100644 > --- a/fs/ecryptfs/main.c > +++ b/fs/ecryptfs/main.c > @@ -175,6 +175,7 @@ enum { ecryptfs_opt_sig, ecryptfs_opt_ecryptfs_sig, > ecryptfs_opt_encrypted_view, ecryptfs_opt_fnek_sig, > ecryptfs_opt_fn_cipher, ecryptfs_opt_fn_cipher_key_bytes, > ecryptfs_opt_unlink_sigs, ecryptfs_opt_mount_auth_tok_only, > + ecryptfs_opt_check_dev_ruid, > ecryptfs_opt_err }; > > static const match_table_t tokens = { > @@ -191,6 +192,7 @@ static const match_table_t tokens = { > {ecryptfs_opt_fn_cipher_key_bytes, "ecryptfs_fn_key_bytes=%u"}, > {ecryptfs_opt_unlink_sigs, "ecryptfs_unlink_sigs"}, > {ecryptfs_opt_mount_auth_tok_only, "ecryptfs_mount_auth_tok_only"}, > + {ecryptfs_opt_check_dev_ruid, "ecryptfs_check_dev_ruid"}, > {ecryptfs_opt_err, NULL} > }; > > @@ -236,6 +238,7 @@ static void ecryptfs_init_mount_crypt_stat( > * ecryptfs_parse_options > * @sb: The ecryptfs super block > * @options: The options passed to the kernel > + * @check_ruid: set to 1 if device uid should be checked against the ruid > * > * Parse mount options: > * debug=N - ecryptfs_verbosity level for debug output > @@ -251,7 +254,8 @@ static void ecryptfs_init_mount_crypt_stat( > * > * Returns zero on success; non-zero on error > */ > -static int ecryptfs_parse_options(struct ecryptfs_sb_info *sbi, char *options) > +static int ecryptfs_parse_options(struct ecryptfs_sb_info *sbi, char *options, > + uid_t *check_ruid) > { > char *p; > int rc = 0; > @@ -276,6 +280,8 @@ static int ecryptfs_parse_options(struct ecryptfs_sb_info *sbi, char *options) > char *cipher_key_bytes_src; > char *fn_cipher_key_bytes_src; > > + *check_ruid = 0; > + > if (!options) { > rc = -EINVAL; > goto out; > @@ -380,6 +386,9 @@ static int ecryptfs_parse_options(struct ecryptfs_sb_info *sbi, char *options) > mount_crypt_stat->flags |= > ECRYPTFS_GLOBAL_MOUNT_AUTH_TOK_ONLY; > break; > + case ecryptfs_opt_check_dev_ruid: > + *check_ruid = 1; > + break; > case ecryptfs_opt_err: > default: > printk(KERN_WARNING > @@ -475,6 +484,7 @@ static struct dentry *ecryptfs_mount(struct file_system_type *fs_type, int flags > const char *err = "Getting sb failed"; > struct inode *inode; > struct path path; > + uid_t check_ruid; > int rc; > > sbi = kmem_cache_zalloc(ecryptfs_sb_info_cache, GFP_KERNEL); > @@ -483,7 +493,7 @@ static struct dentry *ecryptfs_mount(struct file_system_type *fs_type, int flags > goto out; > } > > - rc = ecryptfs_parse_options(sbi, raw_data); > + rc = ecryptfs_parse_options(sbi, raw_data, &check_ruid); > if (rc) { > err = "Error parsing options"; > goto out; > @@ -521,6 +531,15 @@ static struct dentry *ecryptfs_mount(struct file_system_type *fs_type, int flags > "known incompatibilities\n"); > goto out_free; > } > + > + if (check_ruid && path.dentry->d_inode->i_uid != current_uid()) { > + rc = -EPERM; > + printk(KERN_ERR "Mount of device (uid: %d) not owned by " > + "requested user (uid: %d)\n", > + path.dentry->d_inode->i_uid, current_uid()); > + goto out_free; > + } > + > ecryptfs_set_superblock_lower(s, path.dentry->d_sb); > s->s_maxbytes = path.dentry->d_sb->s_maxbytes; > s->s_blocksize = path.dentry->d_sb->s_blocksize; > -- > 1.7.5.4 > >
diff --git a/fs/ecryptfs/main.c b/fs/ecryptfs/main.c index 26faa17..703cda3 100644 --- a/fs/ecryptfs/main.c +++ b/fs/ecryptfs/main.c @@ -175,6 +175,7 @@ enum { ecryptfs_opt_sig, ecryptfs_opt_ecryptfs_sig, ecryptfs_opt_encrypted_view, ecryptfs_opt_fnek_sig, ecryptfs_opt_fn_cipher, ecryptfs_opt_fn_cipher_key_bytes, ecryptfs_opt_unlink_sigs, ecryptfs_opt_mount_auth_tok_only, + ecryptfs_opt_check_dev_ruid, ecryptfs_opt_err }; static const match_table_t tokens = { @@ -191,6 +192,7 @@ static const match_table_t tokens = { {ecryptfs_opt_fn_cipher_key_bytes, "ecryptfs_fn_key_bytes=%u"}, {ecryptfs_opt_unlink_sigs, "ecryptfs_unlink_sigs"}, {ecryptfs_opt_mount_auth_tok_only, "ecryptfs_mount_auth_tok_only"}, + {ecryptfs_opt_check_dev_ruid, "ecryptfs_check_dev_ruid"}, {ecryptfs_opt_err, NULL} }; @@ -236,6 +238,7 @@ static void ecryptfs_init_mount_crypt_stat( * ecryptfs_parse_options * @sb: The ecryptfs super block * @options: The options passed to the kernel + * @check_ruid: set to 1 if device uid should be checked against the ruid * * Parse mount options: * debug=N - ecryptfs_verbosity level for debug output @@ -251,7 +254,8 @@ static void ecryptfs_init_mount_crypt_stat( * * Returns zero on success; non-zero on error */ -static int ecryptfs_parse_options(struct ecryptfs_sb_info *sbi, char *options) +static int ecryptfs_parse_options(struct ecryptfs_sb_info *sbi, char *options, + uid_t *check_ruid) { char *p; int rc = 0; @@ -276,6 +280,8 @@ static int ecryptfs_parse_options(struct ecryptfs_sb_info *sbi, char *options) char *cipher_key_bytes_src; char *fn_cipher_key_bytes_src; + *check_ruid = 0; + if (!options) { rc = -EINVAL; goto out; @@ -380,6 +386,9 @@ static int ecryptfs_parse_options(struct ecryptfs_sb_info *sbi, char *options) mount_crypt_stat->flags |= ECRYPTFS_GLOBAL_MOUNT_AUTH_TOK_ONLY; break; + case ecryptfs_opt_check_dev_ruid: + *check_ruid = 1; + break; case ecryptfs_opt_err: default: printk(KERN_WARNING @@ -475,6 +484,7 @@ static struct dentry *ecryptfs_mount(struct file_system_type *fs_type, int flags const char *err = "Getting sb failed"; struct inode *inode; struct path path; + uid_t check_ruid; int rc; sbi = kmem_cache_zalloc(ecryptfs_sb_info_cache, GFP_KERNEL); @@ -483,7 +493,7 @@ static struct dentry *ecryptfs_mount(struct file_system_type *fs_type, int flags goto out; } - rc = ecryptfs_parse_options(sbi, raw_data); + rc = ecryptfs_parse_options(sbi, raw_data, &check_ruid); if (rc) { err = "Error parsing options"; goto out; @@ -521,6 +531,15 @@ static struct dentry *ecryptfs_mount(struct file_system_type *fs_type, int flags "known incompatibilities\n"); goto out_free; } + + if (check_ruid && path.dentry->d_inode->i_uid != current_uid()) { + rc = -EPERM; + printk(KERN_ERR "Mount of device (uid: %d) not owned by " + "requested user (uid: %d)\n", + path.dentry->d_inode->i_uid, current_uid()); + goto out_free; + } + ecryptfs_set_superblock_lower(s, path.dentry->d_sb); s->s_maxbytes = path.dentry->d_sb->s_maxbytes; s->s_blocksize = path.dentry->d_sb->s_blocksize;
Close a TOCTOU race for mounts done via ecryptfs-mount-private. The mount source (device) can be raced when the ownership test is done in userspace. Provide Ecryptfs a means to force the uid check at mount time. (cherry picked from commit 764355487ea220fdc2faf128d577d7f679b91f97 git://git.kernel.org/pub/scm/linux/kernel/git/ecryptfs/ecryptfs-2.6.git for-linus) CVE-2011-1833 BugLink: http://bugs.launchpad.net/bugs/732628 Signed-off-by: John Johansen <john.johansen@canonical.com> --- fs/ecryptfs/main.c | 23 +++++++++++++++++++++-- 1 files changed, 21 insertions(+), 2 deletions(-)