[Applied Oneiric] Re: [PATCH 1/2] [oneiric CVE 1/2] Add mount option to check uid of device being mounted = expect uid

Leann Ogasawara leann.ogasawara at canonical.com
Thu Aug 11 14:09:56 UTC 2011 

Looks like this has officially landed upstream in Linus' tree.  So I've
just cherry-picked from there, inserted the BugLink and CVE to the
commit, and have applied to Oneiric master-next.

Thanks,
Leann

On Thu, 2011-08-11 at 00:39 -0700, John Johansen wrote:
> Close a TOCTOU race for mounts done via ecryptfs-mount-private.  The mount
> source (device) can be raced when the ownership test is done in userspace.
> Provide Ecryptfs a means to force the uid check at mount time.
> 
> (cherry picked from commit 764355487ea220fdc2faf128d577d7f679b91f97 git://git.kernel.org/pub/scm/linux/kernel/git/ecryptfs/ecryptfs-2.6.git for-linus)
> CVE-2011-1833
> BugLink: http://bugs.launchpad.net/bugs/732628
> 
> Signed-off-by: John Johansen <john.johansen at canonical.com>
> ---
>  fs/ecryptfs/main.c |   23 +++++++++++++++++++++--
>  1 files changed, 21 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/ecryptfs/main.c b/fs/ecryptfs/main.c
> index 26faa17..703cda3 100644
> --- a/fs/ecryptfs/main.c
> +++ b/fs/ecryptfs/main.c
> @@ -175,6 +175,7 @@ enum { ecryptfs_opt_sig, ecryptfs_opt_ecryptfs_sig,
>         ecryptfs_opt_encrypted_view, ecryptfs_opt_fnek_sig,
>         ecryptfs_opt_fn_cipher, ecryptfs_opt_fn_cipher_key_bytes,
>         ecryptfs_opt_unlink_sigs, ecryptfs_opt_mount_auth_tok_only,
> +       ecryptfs_opt_check_dev_ruid,
>         ecryptfs_opt_err };
>  
>  static const match_table_t tokens = {
> @@ -191,6 +192,7 @@ static const match_table_t tokens = {
>  	{ecryptfs_opt_fn_cipher_key_bytes, "ecryptfs_fn_key_bytes=%u"},
>  	{ecryptfs_opt_unlink_sigs, "ecryptfs_unlink_sigs"},
>  	{ecryptfs_opt_mount_auth_tok_only, "ecryptfs_mount_auth_tok_only"},
> +	{ecryptfs_opt_check_dev_ruid, "ecryptfs_check_dev_ruid"},
>  	{ecryptfs_opt_err, NULL}
>  };
>  
> @@ -236,6 +238,7 @@ static void ecryptfs_init_mount_crypt_stat(
>   * ecryptfs_parse_options
>   * @sb: The ecryptfs super block
>   * @options: The options passed to the kernel
> + * @check_ruid: set to 1 if device uid should be checked against the ruid
>   *
>   * Parse mount options:
>   * debug=N 	   - ecryptfs_verbosity level for debug output
> @@ -251,7 +254,8 @@ static void ecryptfs_init_mount_crypt_stat(
>   *
>   * Returns zero on success; non-zero on error
>   */
> -static int ecryptfs_parse_options(struct ecryptfs_sb_info *sbi, char *options)
> +static int ecryptfs_parse_options(struct ecryptfs_sb_info *sbi, char *options,
> +				  uid_t *check_ruid)
>  {
>  	char *p;
>  	int rc = 0;
> @@ -276,6 +280,8 @@ static int ecryptfs_parse_options(struct ecryptfs_sb_info *sbi, char *options)
>  	char *cipher_key_bytes_src;
>  	char *fn_cipher_key_bytes_src;
>  
> +	*check_ruid = 0;
> +
>  	if (!options) {
>  		rc = -EINVAL;
>  		goto out;
> @@ -380,6 +386,9 @@ static int ecryptfs_parse_options(struct ecryptfs_sb_info *sbi, char *options)
>  			mount_crypt_stat->flags |=
>  				ECRYPTFS_GLOBAL_MOUNT_AUTH_TOK_ONLY;
>  			break;
> +		case ecryptfs_opt_check_dev_ruid:
> +			*check_ruid = 1;
> +			break;
>  		case ecryptfs_opt_err:
>  		default:
>  			printk(KERN_WARNING
> @@ -475,6 +484,7 @@ static struct dentry *ecryptfs_mount(struct file_system_type *fs_type, int flags
>  	const char *err = "Getting sb failed";
>  	struct inode *inode;
>  	struct path path;
> +	uid_t check_ruid;
>  	int rc;
>  
>  	sbi = kmem_cache_zalloc(ecryptfs_sb_info_cache, GFP_KERNEL);
> @@ -483,7 +493,7 @@ static struct dentry *ecryptfs_mount(struct file_system_type *fs_type, int flags
>  		goto out;
>  	}
>  
> -	rc = ecryptfs_parse_options(sbi, raw_data);
> +	rc = ecryptfs_parse_options(sbi, raw_data, &check_ruid);
>  	if (rc) {
>  		err = "Error parsing options";
>  		goto out;
> @@ -521,6 +531,15 @@ static struct dentry *ecryptfs_mount(struct file_system_type *fs_type, int flags
>  			"known incompatibilities\n");
>  		goto out_free;
>  	}
> +
> +	if (check_ruid && path.dentry->d_inode->i_uid != current_uid()) {
> +		rc = -EPERM;
> +		printk(KERN_ERR "Mount of device (uid: %d) not owned by "
> +		       "requested user (uid: %d)\n",
> +		       path.dentry->d_inode->i_uid, current_uid());
> +		goto out_free;
> +	}
> +
>  	ecryptfs_set_superblock_lower(s, path.dentry->d_sb);
>  	s->s_maxbytes = path.dentry->d_sb->s_maxbytes;
>  	s->s_blocksize = path.dentry->d_sb->s_blocksize;
> -- 
> 1.7.5.4
> 
>

More information about the kernel-team mailing list