BUG() when opened miscdev fd's are used after being inherited/passed
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | eCryptfs |
Medium
|
Tyler Hicks | ||
| | linux (Ubuntu) |
Medium
|
Colin Ian King | ||
| | Lucid |
Medium
|
Colin Ian King | ||
| | Natty |
Medium
|
Colin Ian King | ||
Bug Description
Originally reported by Sasha Levin and discovered by the Trinity syscall fuzzer:
https:/
The problem is that the /dev/ecryptfs code doesn't expect file operations to be performed by processes other than the one that originally opened the /dev/ecryptfs file. Operations on files inherited across fork() or passed through IPC mechanisms are poorly handled with a kernel BUG().
Related branches
| Tyler Hicks (tyhicks) wrote : | #1 |
| Tyler Hicks (tyhicks) wrote : | #2 |
Patches sent out for review:
http://
Test case committed to ecryptfs-utils:
http://
| Tyler Hicks (tyhicks) wrote : | #3 |
Released in 3.5-rc6
http://
| Changed in ecryptfs: | |
| status: | In Progress → Fix Released |
| Colin Ian King (colin-king) wrote : | #4 |
SRU justification (Lucid, Oneiric)
Impact:
File operations on /dev/ecryptfs would BUG() when the operations were
performed by processes other than the process that originally opened the
file. This could happen with open files inherited after fork() or file
descriptors passed through IPC mechanisms.
Fix:
upstream cherry pick of commit 8dc6780587c9928
Testcase:
http://
(test lp-994247.sh)
Without the fix, this test fails. With the fix, it passes.
| no longer affects: | ecryptfs-utils (Ubuntu) |
| no longer affects: | linux (Ubuntu Natty) |
| no longer affects: | linux (Ubuntu Precise) |
| no longer affects: | linux (Ubuntu Quantal) |
This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:
apport-collect 994247
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.
| Changed in linux (Ubuntu): | |
| status: | New → Incomplete |
| Changed in linux (Ubuntu Lucid): | |
| status: | New → Incomplete |
| Changed in linux (Ubuntu Oneiric): | |
| status: | New → Incomplete |
| Changed in linux (Ubuntu Lucid): | |
| status: | Incomplete → Confirmed |
| Changed in linux (Ubuntu Oneiric): | |
| status: | Incomplete → Confirmed |
| Changed in linux (Ubuntu Lucid): | |
| importance: | Undecided → Medium |
| Changed in linux (Ubuntu Oneiric): | |
| importance: | Undecided → Medium |
| assignee: | nobody → Colin King (colin-king) |
| Changed in linux (Ubuntu Lucid): | |
| assignee: | nobody → Colin King (colin-king) |
| Tim Gardner (timg-tpi) wrote : | #6 |
Released in -proposed Ubuntu-3.0.0-24.40
| Changed in linux (Ubuntu Lucid): | |
| status: | Confirmed → Fix Committed |
| Changed in linux (Ubuntu Oneiric): | |
| status: | Confirmed → Fix Committed |
| no longer affects: | linux (Ubuntu Oneiric) |
| Changed in linux (Ubuntu): | |
| status: | Incomplete → In Progress |
| Changed in linux (Ubuntu): | |
| status: | In Progress → Confirmed |
| no longer affects: | linux (Ubuntu) |
| no longer affects: | linux (Ubuntu Lucid) |
| no longer affects: | linux (Ubuntu Quantal) |
| no longer affects: | linux (Ubuntu Precise) |
| no longer affects: | linux (Ubuntu Oneiric) |
| Changed in linux (Ubuntu Lucid): | |
| status: | New → Fix Released |
| Changed in linux (Ubuntu Natty): | |
| status: | New → Fix Released |
| Changed in linux (Ubuntu Lucid): | |
| importance: | Undecided → Medium |
| Changed in linux (Ubuntu Natty): | |
| importance: | Undecided → Medium |
| Changed in linux (Ubuntu): | |
| status: | New → Fix Released |
| importance: | Undecided → Medium |
| Changed in linux (Ubuntu Lucid): | |
| assignee: | nobody → Colin King (colin-king) |
| Changed in linux (Ubuntu): | |
| assignee: | nobody → Colin King (colin-king) |
| Changed in linux (Ubuntu Natty): | |
| assignee: | nobody → Colin King (colin-king) |
| Changed in linux (Ubuntu Lucid): | |
| status: | Fix Released → Fix Committed |
| Changed in linux (Ubuntu Natty): | |
| status: | Fix Released → Fix Committed |
| tags: | added: verification-needed-lucid |
| Colin Ian King (colin-king) wrote : | #7 |
Passes verification with ext2,ext3,ext4,xfs and btrfs lower file systems on Linux ubuntu 2.6.32-42-server #96-Ubuntu SMP Wed Aug 15 19:52:20 UTC 2012 x86_64 GNU/Linux
sudo ./tests/
Running eCryptfs filesystem tests on ext2
lp-994247 pass
Running eCryptfs filesystem tests on ext3
lp-994247 pass
Running eCryptfs filesystem tests on ext4
lp-994247 pass
Running eCryptfs filesystem tests on xfs
lp-994247 pass
Running eCryptfs filesystem tests on btrfs
lp-994247 pass
Test Summary:
5 passed
0 failed
| tags: |
added: verification-done-lucid removed: verification-needed-lucid |
| Colin Ian King (colin-king) wrote : | #8 |
re: comment #4, this was actually a SRU for Lucid + Natty. Natty commit http://
Passes verification with ext2,ext3,ext4,xfs and btrfs lower file systems on Linux ubuntu 2.6.38-15-server #66-Ubuntu SMP Tue Aug 14 17:42:23 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
..so I'm going to add a verification-
| tags: | added: verification-done-natty |
The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.
| Launchpad Janitor (janitor) wrote : | #10 |
This bug was fixed in the package linux - 2.6.32-42.96
---------------
linux (2.6.32-42.96) lucid-proposed; urgency=low
[Luis Henriques]
* Release Tracking Bug
- LP: #1036553
[ Andy Whitcroft ]
* SAUCE: rds_ib_send() -- prevent local pings triggering BUG_ON()
- LP: #1016299
- CVE-2012-2372
[ Upstream Kernel Changes ]
* udf: Fortify loading of sparing table
- LP: #1024497
- CVE-2012-3400
* udf: Avoid run away loop when partition table length is corrupted
- LP: #1024497
- CVE-2012-3400
* eCryptfs: Gracefully refuse miscdev file ops on inherited/passed files
- LP: #994247
* eCryptfs: Copy up POSIX ACL and read-only flags from lower mount
- LP: #1009207
* drm: integer overflow in drm_mode_
- LP: #917838
- CVE-2012-0044
-- Luis Henriques <email address hidden> Tue, 14 Aug 2012 09:51:58 +0100
| Changed in linux (Ubuntu Lucid): | |
| status: | Fix Committed → Fix Released |
| Changed in linux (Ubuntu Natty): | |
| status: | Fix Committed → Fix Released |


My original attempt at fixing this simply converted all of the BUG_ON() calls in ecryptfs_ miscdev_ *() to if statements that gracefully handled the various conditions. This mostly worked (and will probably be a part of the final solution) except for handling the case where a passed fd was the last one closed. In that situation, ecryptfs_ miscdev_ release( ) cannot do its job because we may not be able to look up the daemon with ecryptfs_ find_daemon_ by_euid( ) since the current euid may not match the original euid.