From: Chen Qi <Qi.Chen@windriver.com>
To: <openembedded-core@lists.openembedded.org>
Subject: [PATCH 2/3] systemd: fix CVE-2018-15687
Date: Fri, 2 Nov 2018 12:42:42 +0800 [thread overview]
Message-ID: <0834a390804c0def6b455e85e2198248ec767e09.1541133621.git.Qi.Chen@windriver.com> (raw)
In-Reply-To: <cover.1541133621.git.Qi.Chen@windriver.com>
Backport patch to fix the following CVE.
CVE: CVE-2018-15687
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
...sive-let-s-rework-the-recursive-logic-to-.patch | 219 +++++++++++++++++++++
meta/recipes-core/systemd/systemd_239.bb | 1 +
2 files changed, 220 insertions(+)
create mode 100644 meta/recipes-core/systemd/systemd/0001-chown-recursive-let-s-rework-the-recursive-logic-to-.patch
diff --git a/meta/recipes-core/systemd/systemd/0001-chown-recursive-let-s-rework-the-recursive-logic-to-.patch b/meta/recipes-core/systemd/systemd/0001-chown-recursive-let-s-rework-the-recursive-logic-to-.patch
new file mode 100644
index 0000000..9d350eb
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0001-chown-recursive-let-s-rework-the-recursive-logic-to-.patch
@@ -0,0 +1,219 @@
+From 2da8ba3f507345d0401ea9d7191fa16ffa560ebc Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Fri, 19 Oct 2018 11:26:59 +0200
+Subject: [PATCH] chown-recursive: let's rework the recursive logic to use
+ O_PATH
+
+That way we can pin a specific inode and analyze it and manipulate it
+without it being swapped out beneath our hands.
+
+Fixes a vulnerability originally found by Jann Horn from Google.
+
+CVE-2018-15687
+LP: #1796692
+https://bugzilla.redhat.com/show_bug.cgi?id=1639076
+
+(cherry picked from commit 5de6cce58b3e8b79239b6e83653459d91af6e57c)
+
+CVE: CVE-2018-15687
+Upstream-Status: Backport
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ src/core/chown-recursive.c | 146 ++++++++++++++++++++++-----------------------
+ 1 file changed, 70 insertions(+), 76 deletions(-)
+
+diff --git a/src/core/chown-recursive.c b/src/core/chown-recursive.c
+index c479450..27c6448 100644
+--- a/src/core/chown-recursive.c
++++ b/src/core/chown-recursive.c
+@@ -1,17 +1,19 @@
+ /* SPDX-License-Identifier: LGPL-2.1+ */
+
+-#include <sys/types.h>
+-#include <sys/stat.h>
+ #include <fcntl.h>
++#include <sys/stat.h>
++#include <sys/types.h>
+
+-#include "user-util.h"
+-#include "macro.h"
+-#include "fd-util.h"
+-#include "dirent-util.h"
+ #include "chown-recursive.h"
++#include "dirent-util.h"
++#include "fd-util.h"
++#include "macro.h"
++#include "stdio-util.h"
++#include "strv.h"
++#include "user-util.h"
+
+-static int chown_one(int fd, const char *name, const struct stat *st, uid_t uid, gid_t gid) {
+- int r;
++static int chown_one(int fd, const struct stat *st, uid_t uid, gid_t gid) {
++ char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int) + 1];
+
+ assert(fd >= 0);
+ assert(st);
+@@ -20,90 +22,82 @@ static int chown_one(int fd, const char *name, const struct stat *st, uid_t uid,
+ (!gid_is_valid(gid) || st->st_gid == gid))
+ return 0;
+
+- if (name)
+- r = fchownat(fd, name, uid, gid, AT_SYMLINK_NOFOLLOW);
+- else
+- r = fchown(fd, uid, gid);
+- if (r < 0)
+- return -errno;
++ /* We change ownership through the /proc/self/fd/%i path, so that we have a stable reference that works with
++ * O_PATH. (Note: fchown() and fchmod() do not work with O_PATH, the kernel refuses that. */
++ xsprintf(procfs_path, "/proc/self/fd/%i", fd);
+
+- /* The linux kernel alters the mode in some cases of chown(). Let's undo this. */
+- if (name) {
+- if (!S_ISLNK(st->st_mode))
+- r = fchmodat(fd, name, st->st_mode, 0);
+- else /* There's currently no AT_SYMLINK_NOFOLLOW for fchmodat() */
+- r = 0;
+- } else
+- r = fchmod(fd, st->st_mode);
+- if (r < 0)
++ if (chown(procfs_path, uid, gid) < 0)
+ return -errno;
+
++ /* The linux kernel alters the mode in some cases of chown(). Let's undo this. We do this only for non-symlinks
++ * however. That's because for symlinks the access mode is ignored anyway and because on some kernels/file
++ * systems trying to change the access mode will succeed but has no effect while on others it actively
++ * fails. */
++ if (!S_ISLNK(st->st_mode))
++ if (chmod(procfs_path, st->st_mode & 07777) < 0)
++ return -errno;
++
+ return 1;
+ }
+
+ static int chown_recursive_internal(int fd, const struct stat *st, uid_t uid, gid_t gid) {
++ _cleanup_closedir_ DIR *d = NULL;
+ bool changed = false;
++ struct dirent *de;
+ int r;
+
+ assert(fd >= 0);
+ assert(st);
+
+- if (S_ISDIR(st->st_mode)) {
+- _cleanup_closedir_ DIR *d = NULL;
+- struct dirent *de;
+-
+- d = fdopendir(fd);
+- if (!d) {
+- r = -errno;
+- goto finish;
+- }
+- fd = -1;
+-
+- FOREACH_DIRENT_ALL(de, d, r = -errno; goto finish) {
+- struct stat fst;
+-
+- if (dot_or_dot_dot(de->d_name))
+- continue;
+-
+- if (fstatat(dirfd(d), de->d_name, &fst, AT_SYMLINK_NOFOLLOW) < 0) {
+- r = -errno;
+- goto finish;
+- }
+-
+- if (S_ISDIR(fst.st_mode)) {
+- int subdir_fd;
+-
+- subdir_fd = openat(dirfd(d), de->d_name, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
+- if (subdir_fd < 0) {
+- r = -errno;
+- goto finish;
+- }
+-
+- r = chown_recursive_internal(subdir_fd, &fst, uid, gid);
+- if (r < 0)
+- goto finish;
+- if (r > 0)
+- changed = true;
+- } else {
+- r = chown_one(dirfd(d), de->d_name, &fst, uid, gid);
+- if (r < 0)
+- goto finish;
+- if (r > 0)
+- changed = true;
+- }
++ d = fdopendir(fd);
++ if (!d) {
++ safe_close(fd);
++ return -errno;
++ }
++
++ FOREACH_DIRENT_ALL(de, d, return -errno) {
++ _cleanup_close_ int path_fd = -1;
++ struct stat fst;
++
++ if (dot_or_dot_dot(de->d_name))
++ continue;
++
++ /* Let's pin the child inode we want to fix now with an O_PATH fd, so that it cannot be swapped out
++ * while we manipulate it. */
++ path_fd = openat(dirfd(d), de->d_name, O_PATH|O_CLOEXEC|O_NOFOLLOW);
++ if (path_fd < 0)
++ return -errno;
++
++ if (fstat(path_fd, &fst) < 0)
++ return -errno;
++
++ if (S_ISDIR(fst.st_mode)) {
++ int subdir_fd;
++
++ /* Convert it to a "real" (i.e. non-O_PATH) fd now */
++ subdir_fd = fd_reopen(path_fd, O_RDONLY|O_CLOEXEC|O_NOATIME);
++ if (subdir_fd < 0)
++ return subdir_fd;
++
++ r = chown_recursive_internal(subdir_fd, &fst, uid, gid); /* takes possession of subdir_fd even on failure */
++ if (r < 0)
++ return r;
++ if (r > 0)
++ changed = true;
++ } else {
++ r = chown_one(path_fd, &fst, uid, gid);
++ if (r < 0)
++ return r;
++ if (r > 0)
++ changed = true;
+ }
++ }
+
+- r = chown_one(dirfd(d), NULL, st, uid, gid);
+- } else
+- r = chown_one(fd, NULL, st, uid, gid);
++ r = chown_one(dirfd(d), st, uid, gid);
+ if (r < 0)
+- goto finish;
++ return r;
+
+- r = r > 0 || changed;
+-
+-finish:
+- safe_close(fd);
+- return r;
++ return r > 0 || changed;
+ }
+
+ int path_chown_recursive(const char *path, uid_t uid, gid_t gid) {
+@@ -111,7 +105,7 @@ int path_chown_recursive(const char *path, uid_t uid, gid_t gid) {
+ struct stat st;
+ int r;
+
+- fd = open(path, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
++ fd = open(path, O_RDONLY|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
+ if (fd < 0)
+ return -errno;
+
+--
+2.7.4
+
diff --git a/meta/recipes-core/systemd/systemd_239.bb b/meta/recipes-core/systemd/systemd_239.bb
index 48b6c3a..47fff40 100644
--- a/meta/recipes-core/systemd/systemd_239.bb
+++ b/meta/recipes-core/systemd/systemd_239.bb
@@ -31,6 +31,7 @@ SRC_URI += "file://touchscreen.rules \
file://0022-build-sys-Detect-whether-struct-statx-is-defined-in-.patch \
file://0023-resolvconf-fixes-for-the-compatibility-interface.patch \
file://0001-core-when-deserializing-state-always-use-read_line-L.patch \
+ file://0001-chown-recursive-let-s-rework-the-recursive-logic-to-.patch \
"
# patches made for musl are only applied on TCLIBC is musl
--
1.9.1
next prev parent reply other threads:[~2018-11-02 4:36 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-02 4:42 [PATCH V2 0/3] systemd: backport patches to fix 3 CVEs Chen Qi
2018-11-02 4:42 ` [PATCH 1/3] systemd: fix CVE-2018-15686 Chen Qi
2018-11-02 4:42 ` Chen Qi [this message]
2018-11-02 4:42 ` [PATCH 3/3] systemd: fix CVE-2018-15688 Chen Qi
2018-11-02 5:03 ` ✗ patchtest: failure for systemd: backport patches to fix 3 CVEs (rev2) Patchwork
2018-11-02 6:37 ` ChenQi
-- strict thread matches above, loose matches on Subject: below --
2018-11-02 1:53 [PATCH 0/3] systemd: backport patches to fix 3 CVEs Chen Qi
2018-11-02 1:53 ` [PATCH 2/3] systemd: fix CVE-2018-15687 Chen Qi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0834a390804c0def6b455e85e2198248ec767e09.1541133621.git.Qi.Chen@windriver.com \
--to=qi.chen@windriver.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.