releases/2.6.14.1/cve-2005-2709-sysctl-unregistration-oops.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From security-bounces@linux.kernel.org Tue Nov  8 07:05:26 2005
 Date: Tue, 8 Nov 2005 15:03:46 +0000 (GMT)
 From: Mark J Cox <mjc@redhat.com>
 To: security@kernel.org
 Message-ID: <0511081502560.8682@dell1.moose.awe.com>
 Cc: aviro@redhat.com, vendor-sec@lst.de
 Subject: CVE-2005-2709 sysctl unregistration oops

 From: Al Viro <viro@zeniv.linux.org.uk>

 You could open the /proc/sys/net/ipv4/conf/<if>/<whatever> file, then
 wait for interface to go away, try to grab as much memory as possible in
 hope to hit the (kfreed) ctl_table.  Then fill it with pointers to your
 function. Then do read from file you've opened and if you are lucky,
 you'll get it called as ->proc_handler() in kernel mode.

 So this is at least an Oops and possibly more.  It does depend on an
 interface going away though, so less of a security risk than it would
 otherwise be.

 Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

 diff -urN current/arch/s390/appldata/appldata_base.c sysctl/arch/s390/appldata/appldata_base.c
 --- current/arch/s390/appldata/appldata_base.c	2005-08-28 23:09:40.000000000 -0400
 +++ sysctl/arch/s390/appldata/appldata_base.c	2005-11-03 08:53:57.000000000 -0500
 @@ -592,12 +592,15 @@
   */
  void appldata_unregister_ops(struct appldata_ops *ops)
  {
 +	void *table;
  	spin_lock(&appldata_ops_lock);
 -	unregister_sysctl_table(ops->sysctl_header);
  	list_del(&ops->list);
 -	kfree(ops->ctl_table);
 +	/* at that point any incoming access will fail */
 +	table = ops->ctl_table;
  	ops->ctl_table = NULL;
  	spin_unlock(&appldata_ops_lock);
 +	unregister_sysctl_table(ops->sysctl_header);
 +	kfree(table);
  	P_INFO("%s-ops unregistered!\n", ops->name);
  }
  /********************** module-ops management <END> **************************/
 diff -urN current/include/linux/proc_fs.h sysctl/include/linux/proc_fs.h
 --- current/include/linux/proc_fs.h	2005-08-28 23:09:48.000000000 -0400
 +++ sysctl/include/linux/proc_fs.h	2005-11-03 08:43:22.000000000 -0500
 @@ -66,6 +66,7 @@
  	write_proc_t *write_proc;
  	atomic_t count;		/* use count */
  	int deleted;		/* delete flag */
 +	void *set;
  };

  struct kcore_list {
 diff -urN current/include/linux/sysctl.h sysctl/include/linux/sysctl.h
 --- current/include/linux/sysctl.h	2005-10-28 16:42:49.000000000 -0400
 +++ sysctl/include/linux/sysctl.h	2005-11-03 08:43:22.000000000 -0500
 @@ -24,6 +24,7 @@
  #include <linux/compiler.h>

  struct file;
 +struct completion;

  #define CTL_MAXNAME 10		/* how many path components do we allow in a
  				   call to sysctl?   In other words, what is
 @@ -925,6 +926,8 @@
  {
  	ctl_table *ctl_table;
  	struct list_head ctl_entry;
 +	int used;
 +	struct completion *unregistering;
  };

  struct ctl_table_header * register_sysctl_table(ctl_table * table,
 diff -urN current/kernel/sysctl.c sysctl/kernel/sysctl.c
 --- current/kernel/sysctl.c	2005-10-28 16:42:49.000000000 -0400
 +++ sysctl/kernel/sysctl.c	2005-11-03 08:50:17.000000000 -0500
 @@ -169,7 +169,7 @@

  extern struct proc_dir_entry *proc_sys_root;

 -static void register_proc_table(ctl_table *, struct proc_dir_entry *);
 +static void register_proc_table(ctl_table *, struct proc_dir_entry *, void *);
  static void unregister_proc_table(ctl_table *, struct proc_dir_entry *);
  #endif

 @@ -992,10 +992,51 @@

  extern void init_irq_proc (void);

 +static DEFINE_SPINLOCK(sysctl_lock);
 +
 +/* called under sysctl_lock */
 +static int use_table(struct ctl_table_header *p)
 +{
 +	if (unlikely(p->unregistering))
 +		return 0;
 +	p->used++;
 +	return 1;
 +}
 +
 +/* called under sysctl_lock */
 +static void unuse_table(struct ctl_table_header *p)
 +{
 +	if (!--p->used)
 +		if (unlikely(p->unregistering))
 +			complete(p->unregistering);
 +}
 +
 +/* called under sysctl_lock, will reacquire if has to wait */
 +static void start_unregistering(struct ctl_table_header *p)
 +{
 +	/*
 +	 * if p->used is 0, nobody will ever touch that entry again;
 +	 * we'll eliminate all paths to it before dropping sysctl_lock
 +	 */
 +	if (unlikely(p->used)) {
 +		struct completion wait;
 +		init_completion(&wait);
 +		p->unregistering = &wait;
 +		spin_unlock(&sysctl_lock);
 +		wait_for_completion(&wait);
 +		spin_lock(&sysctl_lock);
 +	}
 +	/*
 +	 * do not remove from the list until nobody holds it; walking the
 +	 * list in do_sysctl() relies on that.
 +	 */
 +	list_del_init(&p->ctl_entry);
 +}
 +
  void __init sysctl_init(void)
  {
  #ifdef CONFIG_PROC_FS
 -	register_proc_table(root_table, proc_sys_root);
 +	register_proc_table(root_table, proc_sys_root, &root_table_header);
  	init_irq_proc();
  #endif
  }
 @@ -1004,6 +1045,7 @@
  	       void __user *newval, size_t newlen)
  {
  	struct list_head *tmp;
 +	int error = -ENOTDIR;

  	if (nlen <= 0 || nlen >= CTL_MAXNAME)
  		return -ENOTDIR;
 @@ -1012,20 +1054,30 @@
  		if (!oldlenp || get_user(old_len, oldlenp))
  			return -EFAULT;
  	}
 +	spin_lock(&sysctl_lock);
  	tmp = &root_table_header.ctl_entry;
  	do {
  		struct ctl_table_header *head =
  			list_entry(tmp, struct ctl_table_header, ctl_entry);
  		void *context = NULL;
 -		int error = parse_table(name, nlen, oldval, oldlenp,
 +
 +		if (!use_table(head))
 +			continue;
 +
 +		spin_unlock(&sysctl_lock);
 +
 +		error = parse_table(name, nlen, oldval, oldlenp,
  					newval, newlen, head->ctl_table,
  					&context);
  		kfree(context);
 +
 +		spin_lock(&sysctl_lock);
 +		unuse_table(head);
  		if (error != -ENOTDIR)
 -			return error;
 -		tmp = tmp->next;
 -	} while (tmp != &root_table_header.ctl_entry);
 -	return -ENOTDIR;
 +			break;
 +	} while ((tmp = tmp->next) != &root_table_header.ctl_entry);
 +	spin_unlock(&sysctl_lock);
 +	return error;
  }

  asmlinkage long sys_sysctl(struct __sysctl_args __user *args)
 @@ -1236,12 +1288,16 @@
  		return NULL;
  	tmp->ctl_table = table;
  	INIT_LIST_HEAD(&tmp->ctl_entry);
 +	tmp->used = 0;
 +	tmp->unregistering = NULL;
 +	spin_lock(&sysctl_lock);
  	if (insert_at_head)
  		list_add(&tmp->ctl_entry, &root_table_header.ctl_entry);
  	else
  		list_add_tail(&tmp->ctl_entry, &root_table_header.ctl_entry);
 +	spin_unlock(&sysctl_lock);
  #ifdef CONFIG_PROC_FS
 -	register_proc_table(table, proc_sys_root);
 +	register_proc_table(table, proc_sys_root, tmp);
  #endif
  	return tmp;
  }
 @@ -1255,10 +1311,13 @@
   */
  void unregister_sysctl_table(struct ctl_table_header * header)
  {
 -	list_del(&header->ctl_entry);
 +	might_sleep();
 +	spin_lock(&sysctl_lock);
 +	start_unregistering(header);
  #ifdef CONFIG_PROC_FS
  	unregister_proc_table(header->ctl_table, proc_sys_root);
  #endif
 +	spin_unlock(&sysctl_lock);
  	kfree(header);
  }

 @@ -1269,7 +1328,7 @@
  #ifdef CONFIG_PROC_FS

  /* Scan the sysctl entries in table and add them all into /proc */
 -static void register_proc_table(ctl_table * table, struct proc_dir_entry *root)
 +static void register_proc_table(ctl_table * table, struct proc_dir_entry *root, void *set)
  {
  	struct proc_dir_entry *de;
  	int len;
 @@ -1305,13 +1364,14 @@
  			de = create_proc_entry(table->procname, mode, root);
  			if (!de)
  				continue;
 +			de->set = set;
  			de->data = (void *) table;
  			if (table->proc_handler)
  				de->proc_fops = &proc_sys_file_operations;
  		}
  		table->de = de;
  		if (de->mode & S_IFDIR)
 -			register_proc_table(table->child, de);
 +			register_proc_table(table->child, de, set);
  	}
  }

 @@ -1336,6 +1396,13 @@
  				continue;
  		}

 +		/*
 +		 * In any case, mark the entry as goner; we'll keep it
 +		 * around if it's busy, but we'll know to do nothing with
 +		 * its fields.  We are under sysctl_lock here.
 +		 */
 +		de->data = NULL;
 +
  		/* Don't unregister proc entries that are still being used.. */
  		if (atomic_read(&de->count))
  			continue;
 @@ -1349,27 +1416,38 @@
  			  size_t count, loff_t *ppos)
  {
  	int op;
 -	struct proc_dir_entry *de;
 +	struct proc_dir_entry *de = PDE(file->f_dentry->d_inode);
  	struct ctl_table *table;
  	size_t res;
 -	ssize_t error;
 -
 -	de = PDE(file->f_dentry->d_inode);
 -	if (!de || !de->data)
 -		return -ENOTDIR;
 -	table = (struct ctl_table *) de->data;
 -	if (!table || !table->proc_handler)
 -		return -ENOTDIR;
 -	op = (write ? 002 : 004);
 -	if (ctl_perm(table, op))
 -		return -EPERM;
 +	ssize_t error = -ENOTDIR;

 -	res = count;
 -
 -	error = (*table->proc_handler) (table, write, file, buf, &res, ppos);
 -	if (error)
 -		return error;
 -	return res;
 +	spin_lock(&sysctl_lock);
 +	if (de && de->data && use_table(de->set)) {
 +		/*
 +		 * at that point we know that sysctl was not unregistered
 +		 * and won't be until we finish
 +		 */
 +		spin_unlock(&sysctl_lock);
 +		table = (struct ctl_table *) de->data;
 +		if (!table || !table->proc_handler)
 +			goto out;
 +		error = -EPERM;
 +		op = (write ? 002 : 004);
 +		if (ctl_perm(table, op))
 +			goto out;
 +
 +		/* careful: calling conventions are nasty here */
 +		res = count;
 +		error = (*table->proc_handler)(table, write, file,
 +						buf, &res, ppos);
 +		if (!error)
 +			error = res;
 +	out:
 +		spin_lock(&sysctl_lock);
 +		unuse_table(de->set);
 +	}
 +	spin_unlock(&sysctl_lock);
 +	return error;
  }

  static int proc_opensys(struct inode *inode, struct file *file)
 _______________________________________________
 Security mailing list
 Security@linux.kernel.org
 http://linux.kernel.org/mailman/listinfo/security
	From security-bounces@linux.kernel.org Tue Nov 8 07:05:26 2005
	Date: Tue, 8 Nov 2005 15:03:46 +0000 (GMT)
	From: Mark J Cox <mjc@redhat.com>
	To: security@kernel.org
	Message-ID: <0511081502560.8682@dell1.moose.awe.com>
	Cc: aviro@redhat.com, vendor-sec@lst.de
	Subject: CVE-2005-2709 sysctl unregistration oops

	From: Al Viro <viro@zeniv.linux.org.uk>

	You could open the /proc/sys/net/ipv4/conf/<if>/<whatever> file, then
	wait for interface to go away, try to grab as much memory as possible in
	hope to hit the (kfreed) ctl_table. Then fill it with pointers to your
	function. Then do read from file you've opened and if you are lucky,
	you'll get it called as ->proc_handler() in kernel mode.

	So this is at least an Oops and possibly more. It does depend on an
	interface going away though, so less of a security risk than it would
	otherwise be.

	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

	diff -urN current/arch/s390/appldata/appldata_base.c sysctl/arch/s390/appldata/appldata_base.c
	--- current/arch/s390/appldata/appldata_base.c 2005-08-28 23:09:40.000000000 -0400
	+++ sysctl/arch/s390/appldata/appldata_base.c 2005-11-03 08:53:57.000000000 -0500
	@@ -592,12 +592,15 @@
	*/
	void appldata_unregister_ops(struct appldata_ops *ops)
	{
	+ void *table;
	spin_lock(&appldata_ops_lock);
	- unregister_sysctl_table(ops->sysctl_header);
	list_del(&ops->list);
	- kfree(ops->ctl_table);
	+ /* at that point any incoming access will fail */
	+ table = ops->ctl_table;
	ops->ctl_table = NULL;
	spin_unlock(&appldata_ops_lock);
	+ unregister_sysctl_table(ops->sysctl_header);
	+ kfree(table);
	P_INFO("%s-ops unregistered!\n", ops->name);
	}
	/******************** module-ops management <END> ************************/
	diff -urN current/include/linux/proc_fs.h sysctl/include/linux/proc_fs.h
	--- current/include/linux/proc_fs.h 2005-08-28 23:09:48.000000000 -0400
	+++ sysctl/include/linux/proc_fs.h 2005-11-03 08:43:22.000000000 -0500
	@@ -66,6 +66,7 @@
	write_proc_t *write_proc;
	atomic_t count; /* use count */
	int deleted; /* delete flag */
	+ void *set;
	};

	struct kcore_list {
	diff -urN current/include/linux/sysctl.h sysctl/include/linux/sysctl.h
	--- current/include/linux/sysctl.h 2005-10-28 16:42:49.000000000 -0400
	+++ sysctl/include/linux/sysctl.h 2005-11-03 08:43:22.000000000 -0500
	@@ -24,6 +24,7 @@
	#include <linux/compiler.h>

	struct file;
	+struct completion;

	#define CTL_MAXNAME 10 /* how many path components do we allow in a
	call to sysctl? In other words, what is
	@@ -925,6 +926,8 @@
	{
	ctl_table *ctl_table;
	struct list_head ctl_entry;
	+ int used;
	+ struct completion *unregistering;
	};

	struct ctl_table_header * register_sysctl_table(ctl_table * table,
	diff -urN current/kernel/sysctl.c sysctl/kernel/sysctl.c
	--- current/kernel/sysctl.c 2005-10-28 16:42:49.000000000 -0400
	+++ sysctl/kernel/sysctl.c 2005-11-03 08:50:17.000000000 -0500
	@@ -169,7 +169,7 @@

	extern struct proc_dir_entry *proc_sys_root;

	-static void register_proc_table(ctl_table , struct proc_dir_entry );
	+static void register_proc_table(ctl_table , struct proc_dir_entry , void *);
	static void unregister_proc_table(ctl_table , struct proc_dir_entry );
	#endif

	@@ -992,10 +992,51 @@

	extern void init_irq_proc (void);

	+static DEFINE_SPINLOCK(sysctl_lock);
	+
	+/* called under sysctl_lock */
	+static int use_table(struct ctl_table_header *p)
	+{
	+ if (unlikely(p->unregistering))
	+ return 0;
	+ p->used++;
	+ return 1;
	+}
	+
	+/* called under sysctl_lock */
	+static void unuse_table(struct ctl_table_header *p)
	+{
	+ if (!--p->used)
	+ if (unlikely(p->unregistering))
	+ complete(p->unregistering);
	+}
	+
	+/* called under sysctl_lock, will reacquire if has to wait */
	+static void start_unregistering(struct ctl_table_header *p)
	+{
	+ /*
	+ * if p->used is 0, nobody will ever touch that entry again;
	+ * we'll eliminate all paths to it before dropping sysctl_lock
	+ */
	+ if (unlikely(p->used)) {
	+ struct completion wait;
	+ init_completion(&wait);
	+ p->unregistering = &wait;
	+ spin_unlock(&sysctl_lock);
	+ wait_for_completion(&wait);
	+ spin_lock(&sysctl_lock);
	+ }
	+ /*
	+ * do not remove from the list until nobody holds it; walking the
	+ * list in do_sysctl() relies on that.
	+ */
	+ list_del_init(&p->ctl_entry);
	+}
	+
	void __init sysctl_init(void)
	{
	#ifdef CONFIG_PROC_FS
	- register_proc_table(root_table, proc_sys_root);
	+ register_proc_table(root_table, proc_sys_root, &root_table_header);
	init_irq_proc();
	#endif
	}
	@@ -1004,6 +1045,7 @@
	void __user *newval, size_t newlen)
	{
	struct list_head *tmp;
	+ int error = -ENOTDIR;

	if (nlen <= 0 \|\| nlen >= CTL_MAXNAME)
	return -ENOTDIR;
	@@ -1012,20 +1054,30 @@
	if (!oldlenp \|\| get_user(old_len, oldlenp))
	return -EFAULT;
	}
	+ spin_lock(&sysctl_lock);
	tmp = &root_table_header.ctl_entry;
	do {
	struct ctl_table_header *head =
	list_entry(tmp, struct ctl_table_header, ctl_entry);
	void *context = NULL;
	- int error = parse_table(name, nlen, oldval, oldlenp,
	+
	+ if (!use_table(head))
	+ continue;
	+
	+ spin_unlock(&sysctl_lock);
	+
	+ error = parse_table(name, nlen, oldval, oldlenp,
	newval, newlen, head->ctl_table,
	&context);
	kfree(context);
	+
	+ spin_lock(&sysctl_lock);
	+ unuse_table(head);
	if (error != -ENOTDIR)
	- return error;
	- tmp = tmp->next;
	- } while (tmp != &root_table_header.ctl_entry);
	- return -ENOTDIR;
	+ break;
	+ } while ((tmp = tmp->next) != &root_table_header.ctl_entry);
	+ spin_unlock(&sysctl_lock);
	+ return error;
	}

	asmlinkage long sys_sysctl(struct __sysctl_args __user *args)
	@@ -1236,12 +1288,16 @@
	return NULL;
	tmp->ctl_table = table;
	INIT_LIST_HEAD(&tmp->ctl_entry);
	+ tmp->used = 0;
	+ tmp->unregistering = NULL;
	+ spin_lock(&sysctl_lock);
	if (insert_at_head)
	list_add(&tmp->ctl_entry, &root_table_header.ctl_entry);
	else
	list_add_tail(&tmp->ctl_entry, &root_table_header.ctl_entry);
	+ spin_unlock(&sysctl_lock);
	#ifdef CONFIG_PROC_FS
	- register_proc_table(table, proc_sys_root);
	+ register_proc_table(table, proc_sys_root, tmp);
	#endif
	return tmp;
	}
	@@ -1255,10 +1311,13 @@
	*/
	void unregister_sysctl_table(struct ctl_table_header * header)
	{
	- list_del(&header->ctl_entry);
	+ might_sleep();
	+ spin_lock(&sysctl_lock);
	+ start_unregistering(header);
	#ifdef CONFIG_PROC_FS
	unregister_proc_table(header->ctl_table, proc_sys_root);
	#endif
	+ spin_unlock(&sysctl_lock);
	kfree(header);
	}

	@@ -1269,7 +1328,7 @@
	#ifdef CONFIG_PROC_FS

	/* Scan the sysctl entries in table and add them all into /proc */
	-static void register_proc_table(ctl_table * table, struct proc_dir_entry *root)
	+static void register_proc_table(ctl_table * table, struct proc_dir_entry root, void set)
	{
	struct proc_dir_entry *de;
	int len;
	@@ -1305,13 +1364,14 @@
	de = create_proc_entry(table->procname, mode, root);
	if (!de)
	continue;
	+ de->set = set;
	de->data = (void *) table;
	if (table->proc_handler)
	de->proc_fops = &proc_sys_file_operations;
	}
	table->de = de;
	if (de->mode & S_IFDIR)
	- register_proc_table(table->child, de);
	+ register_proc_table(table->child, de, set);
	}
	}

	@@ -1336,6 +1396,13 @@
	continue;
	}

	+ /*
	+ * In any case, mark the entry as goner; we'll keep it
	+ * around if it's busy, but we'll know to do nothing with
	+ * its fields. We are under sysctl_lock here.
	+ */
	+ de->data = NULL;
	+
	/* Don't unregister proc entries that are still being used.. */
	if (atomic_read(&de->count))
	continue;
	@@ -1349,27 +1416,38 @@
	size_t count, loff_t *ppos)
	{
	int op;
	- struct proc_dir_entry *de;
	+ struct proc_dir_entry *de = PDE(file->f_dentry->d_inode);
	struct ctl_table *table;
	size_t res;
	- ssize_t error;
	-
	- de = PDE(file->f_dentry->d_inode);
	- if (!de \|\| !de->data)
	- return -ENOTDIR;
	- table = (struct ctl_table *) de->data;
	- if (!table \|\| !table->proc_handler)
	- return -ENOTDIR;
	- op = (write ? 002 : 004);
	- if (ctl_perm(table, op))
	- return -EPERM;
	+ ssize_t error = -ENOTDIR;

	- res = count;
	-
	- error = (*table->proc_handler) (table, write, file, buf, &res, ppos);
	- if (error)
	- return error;
	- return res;
	+ spin_lock(&sysctl_lock);
	+ if (de && de->data && use_table(de->set)) {
	+ /*
	+ * at that point we know that sysctl was not unregistered
	+ * and won't be until we finish
	+ */
	+ spin_unlock(&sysctl_lock);
	+ table = (struct ctl_table *) de->data;
	+ if (!table \|\| !table->proc_handler)
	+ goto out;
	+ error = -EPERM;
	+ op = (write ? 002 : 004);
	+ if (ctl_perm(table, op))
	+ goto out;
	+
	+ /* careful: calling conventions are nasty here */
	+ res = count;
	+ error = (*table->proc_handler)(table, write, file,
	+ buf, &res, ppos);
	+ if (!error)
	+ error = res;
	+ out:
	+ spin_lock(&sysctl_lock);
	+ unuse_table(de->set);
	+ }
	+ spin_unlock(&sysctl_lock);
	+ return error;
	}

	static int proc_opensys(struct inode inode, struct file file)
	_______________________________________________
	Security mailing list
	Security@linux.kernel.org
	http://linux.kernel.org/mailman/listinfo/security