1. 06 Feb, 2019 3 commits
    • David Herrmann's avatar
      fork: record start_time late · b6d1e4fe
      David Herrmann authored
      This changes the fork(2) syscall to record the process start_time after
      initializing the basic task structure but still before making the new
      process visible to user-space.
      
      Technically, we could record the start_time anytime during fork(2).  But
      this might lead to scenarios where a start_time is recorded long before
      a process becomes visible to user-space.  For instance, with
      userfaultfd(2) and TLS, user-space can delay the execution of fork(2)
      for an indefinite amount of time (and will, if this causes network
      access, or similar).
      
      By recording the start_time late, it much closer reflects the point in
      time where the process becomes live and can be observed by other
      processes.
      
      Lastly, this makes it much harder for user-space to predict and control
      the start_time they get assigned.  Previously, user-space could fork a
      process and stall it in copy_thread_tls() before its pid is allocated,
      but after its start_time is recorded.  This can be misused to later-on
      cycle through PIDs and resume the stalled fork(2) yielding a process
      that has the same pid and start_time as a process that existed before.
      This can be used to circumvent security systems that identify processes
      by their pid+start_time combination.
      
      Even though user-space was always aware that start_time recording is
      flaky (but several projects are known to still rely on start_time-based
      identification), changing the start_time to be recorded late will help
      mitigate existing attacks and make it much harder for user-space to
      control the start_time a process gets assigned.
      Reported-by: default avatarJann Horn <jannh@google.com>
      Signed-off-by: default avatarTom Gundersen <teg@jklm.no>
      Signed-off-by: default avatarDavid Herrmann <dh.herrmann@gmail.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      
      CVE-2019-6133
      
      (cherry picked from commit 7b558513)
      Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
      Acked-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      Acked-by: default avatarThadeu Lima de Souza Cascardo <cascardo@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      b6d1e4fe
    • Juerg Haefliger's avatar
      UBUNTU: SAUCE: fan: Fix NULL pointer dereference · cd399450
      Juerg Haefliger authored
      BugLink: https://bugs.launchpad.net/bugs/1811803
      
      Fix a NULL pointer dereference in fan code that can easily be triggered
      by running:
      $ sudo ip link add foo type ipip
      
      Which leads to:
      [    1.330067] BUG: unable to handle kernel NULL pointer dereference at 0000000000000108
      [    1.330792] IP: [<ffffffff817e8132>] ipip_netlink_fan.isra.7+0x12/0x280
      [    1.331399] PGD 800000003fb94067 PUD 3fb93067 PMD 0
      [    1.331882] Oops: 0000 [#1] SMP
      [    1.332200] Modules linked in:
      [    1.332492] CPU: 0 PID: 137 Comm: ip Not tainted 4.4.167+ #5
      [    1.333001] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.1-1ubuntu1 04/01/2014
      [    1.333740] task: ffff88003c38a640 ti: ffff88003fb5c000 task.ti: ffff88003fb5c000
      [    1.334375] RIP: 0010:[<ffffffff817e8132>]  [<ffffffff817e8132>] ipip_netlink_fan.isra.7+0x12/0x280
      [    1.335193] RSP: 0018:ffff88003fb5f778  EFLAGS: 00010246
      [    1.335671] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
      [    1.336305] RDX: ffff88003fb5f7f0 RSI: ffff88003fa3f840 RDI: 0000000000000000
      [    1.336940] RBP: ffff88003fb5f7a0 R08: 000000000000000a R09: 0000000000000092
      [    1.337587] R10: 0000000000000000 R11: 00000000000001ad R12: ffff88003fa3f000
      [    1.338267] R13: ffff88003fb5f9d0 R14: ffff88003fa3f840 R15: ffffffff81f4b240
      [    1.338904] FS:  00007f535979b700(0000) GS:ffff88003e400000(0000) knlGS:0000000000000000
      [    1.339590] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [    1.340066] CR2: 0000000000000108 CR3: 000000003fb60000 CR4: 0000000000000670
      [    1.340750] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [    1.341341] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [    1.341909] Stack:
      [    1.342080]  0000000000000000 ffff88003fa3f000 ffff88003fb5f9d0 ffff88003fa3f840
      [    1.342725]  ffffffff81f4b240 ffff88003fb5f828 ffffffff817e8515 0000000381356f0e
      [    1.343334]  0000000000000000 0000000000000000 0000000000000000 0000000000000000
      [    1.343943] Call Trace:
      [    1.344141]  [<ffffffff817e8515>] ipip_newlink+0xa5/0xc0
      [    1.344553]  [<ffffffff81782f5b>] ? __netlink_ns_capable+0x3b/0x40
      [    1.345029]  [<ffffffff817651fd>] rtnl_newlink+0x6fd/0x8b0
      [    1.345699]  [<ffffffff811f92b1>] ? kmem_cache_alloc+0x1a1/0x1f0
      [    1.346165]  [<ffffffff8119abd5>] ? mempool_alloc_slab+0x15/0x20
      [    1.346630]  [<ffffffff81436463>] ? validate_nla+0x93/0x1a0
      [    1.347060]  [<ffffffff81436680>] ? nla_parse+0xa0/0x100
      [    1.347474]  [<ffffffff81436732>] ? nla_strlcpy+0x52/0x60
      [    1.347891]  [<ffffffff81762099>] ? rtnl_link_ops_get+0x39/0x50
      [    1.348347]  [<ffffffff81764c76>] ? rtnl_newlink+0x176/0x8b0
      [    1.348784]  [<ffffffff8176373c>] rtnetlink_rcv_msg+0xec/0x230
      [    1.349237]  [<ffffffff811fce3b>] ? __kmalloc_node_track_caller+0x24b/0x310
      [    1.349774]  [<ffffffff8173e397>] ? __alloc_skb+0x87/0x1d0
      [    1.350198]  [<ffffffff81763650>] ? rtnetlink_rcv+0x30/0x30
      [    1.350628]  [<ffffffff81786da6>] netlink_rcv_skb+0xa6/0xc0
      [    1.351059]  [<ffffffff81763648>] rtnetlink_rcv+0x28/0x30
      [    1.351476]  [<ffffffff81786770>] netlink_unicast+0x190/0x240
      [    1.351919]  [<ffffffff81786b5a>] netlink_sendmsg+0x33a/0x3b0
      [    1.352363]  [<ffffffff813af211>] ? aa_sock_msg_perm+0x61/0x150
      [    1.352820]  [<ffffffff81734bde>] sock_sendmsg+0x3e/0x50
      [    1.353235]  [<ffffffff817356a7>] ___sys_sendmsg+0x287/0x2a0
      [    1.353672]  [<ffffffff8120ed2b>] ? mem_cgroup_try_charge+0x6b/0x1e0
      [    1.354162]  [<ffffffff811cb9ed>] ? handle_mm_fault+0xecd/0x1b80
      [    1.354625]  [<ffffffff81239fc7>] ? __alloc_fd+0xc7/0x190
      [    1.355044]  [<ffffffff81736021>] __sys_sendmsg+0x51/0x90
      [    1.355525]  [<ffffffff81736072>] SyS_sendmsg+0x12/0x20
      [    1.355933]  [<ffffffff81866e1b>] entry_SYSCALL_64_fastpath+0x22/0xcb
      [    1.356426] Code: 50 01 00 00 01 eb d3 49 8d 94 24 b8 08 00 00 eb ac e8 83 cf 89 ff 0f 1f 00 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 <48> 8b 9f 08 01 00 00 48 85 db 74 1e 8b 02 85 c0 75 25 44 0f b7
      [    1.358557] RIP  [<ffffffff817e8132>] ipip_netlink_fan.isra.7+0x12/0x280
      [    1.359086]  RSP <ffff88003fb5f778>
      [    1.359359] CR2: 0000000000000108
      [    1.359637] ---[ end trace 7820fbc7ced5dd6e ]---
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Acked-by: default avatarSeth Forshee <seth.forshee@canonical.com>
      Acked-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      cd399450
    • Juerg Haefliger's avatar
      UBUNTU: Start new release · 10e7710d
      Juerg Haefliger authored
      Ignore: yes
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      10e7710d
  2. 16 Jan, 2019 37 commits