BUG() when opened miscdev fd's are used after being inherited/passed

Bug #994247 reported by Tyler Hicks on 2012-05-03
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
eCryptfs
Medium
Tyler Hicks
linux (Ubuntu)
Medium
Colin Ian King
Lucid
Medium
Colin Ian King
Natty
Medium
Colin Ian King

Bug Description

Originally reported by Sasha Levin and discovered by the Trinity syscall fuzzer:

https://lkml.org/lkml/2012/5/3/20

The problem is that the /dev/ecryptfs code doesn't expect file operations to be performed by processes other than the one that originally opened the /dev/ecryptfs file. Operations on files inherited across fork() or passed through IPC mechanisms are poorly handled with a kernel BUG().

Tyler Hicks (tyhicks) wrote :

My original attempt at fixing this simply converted all of the BUG_ON() calls in ecryptfs_miscdev_*() to if statements that gracefully handled the various conditions. This mostly worked (and will probably be a part of the final solution) except for handling the case where a passed fd was the last one closed. In that situation, ecryptfs_miscdev_release() cannot do its job because we may not be able to look up the daemon with ecryptfs_find_daemon_by_euid() since the current euid may not match the original euid.

Tyler Hicks (tyhicks) wrote :
Changed in ecryptfs:
status: In Progress → Fix Released
Colin Ian King (colin-king) wrote :

SRU justification (Lucid, Oneiric)

Impact:

File operations on /dev/ecryptfs would BUG() when the operations were
performed by processes other than the process that originally opened the
file. This could happen with open files inherited after fork() or file
descriptors passed through IPC mechanisms.

Fix:

upstream cherry pick of commit 8dc6780587c99286c0d3de747a2946a76989414a

Testcase:

http://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/696
(test lp-994247.sh)

Without the fix, this test fails. With the fix, it passes.

no longer affects: ecryptfs-utils (Ubuntu)
no longer affects: linux (Ubuntu Natty)
no longer affects: linux (Ubuntu Precise)
no longer affects: linux (Ubuntu Quantal)

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 994247

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Changed in linux (Ubuntu Lucid):
status: New → Incomplete
Changed in linux (Ubuntu Oneiric):
status: New → Incomplete
Changed in linux (Ubuntu Lucid):
status: Incomplete → Confirmed
Changed in linux (Ubuntu Oneiric):
status: Incomplete → Confirmed
Changed in linux (Ubuntu Lucid):
importance: Undecided → Medium
Changed in linux (Ubuntu Oneiric):
importance: Undecided → Medium
assignee: nobody → Colin King (colin-king)
Changed in linux (Ubuntu Lucid):
assignee: nobody → Colin King (colin-king)
Tim Gardner (timg-tpi) wrote :

Released in -proposed Ubuntu-3.0.0-24.40

Changed in linux (Ubuntu Lucid):
status: Confirmed → Fix Committed
Changed in linux (Ubuntu Oneiric):
status: Confirmed → Fix Committed
no longer affects: linux (Ubuntu Oneiric)
Tim Gardner (timg-tpi) on 2012-08-01
Changed in linux (Ubuntu):
status: Incomplete → In Progress
Changed in linux (Ubuntu):
status: In Progress → Confirmed
no longer affects: linux (Ubuntu)
no longer affects: linux (Ubuntu Lucid)
no longer affects: linux (Ubuntu Quantal)
no longer affects: linux (Ubuntu Precise)
no longer affects: linux (Ubuntu Oneiric)
Changed in linux (Ubuntu Lucid):
status: New → Fix Released
Changed in linux (Ubuntu Natty):
status: New → Fix Released
Changed in linux (Ubuntu Lucid):
importance: Undecided → Medium
Changed in linux (Ubuntu Natty):
importance: Undecided → Medium
Changed in linux (Ubuntu):
status: New → Fix Released
importance: Undecided → Medium
Changed in linux (Ubuntu Lucid):
assignee: nobody → Colin King (colin-king)
Changed in linux (Ubuntu):
assignee: nobody → Colin King (colin-king)
Changed in linux (Ubuntu Natty):
assignee: nobody → Colin King (colin-king)
Tim Gardner (timg-tpi) on 2012-08-01
Changed in linux (Ubuntu Lucid):
status: Fix Released → Fix Committed
Changed in linux (Ubuntu Natty):
status: Fix Released → Fix Committed
Brad Figg (brad-figg) on 2012-08-20
tags: added: verification-needed-lucid
Colin Ian King (colin-king) wrote :

Passes verification with ext2,ext3,ext4,xfs and btrfs lower file systems on Linux ubuntu 2.6.32-42-server #96-Ubuntu SMP Wed Aug 15 19:52:20 UTC 2012 x86_64 GNU/Linux

sudo ./tests/run_tests.sh -K -c safe -b 1000000 -D /tmp/image -l /lower -u /upper -t lp-994247.sh -f ext2,ext3,ext4,xfs,btrfs
Running eCryptfs filesystem tests on ext2
lp-994247 pass
Running eCryptfs filesystem tests on ext3
lp-994247 pass
Running eCryptfs filesystem tests on ext4
lp-994247 pass
Running eCryptfs filesystem tests on xfs
lp-994247 pass
Running eCryptfs filesystem tests on btrfs
lp-994247 pass

Test Summary:
5 passed
0 failed

tags: added: verification-done-lucid
removed: verification-needed-lucid
Colin Ian King (colin-king) wrote :

re: comment #4, this was actually a SRU for Lucid + Natty. Natty commit http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-natty.git;a=commit;h=3ffce8c8a05223696e567f1c0efe34d496dc22ac tested:

Passes verification with ext2,ext3,ext4,xfs and btrfs lower file systems on Linux ubuntu 2.6.38-15-server #66-Ubuntu SMP Tue Aug 14 17:42:23 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

..so I'm going to add a verification-done-natty tag too

tags: added: verification-done-natty

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.32-42.96

---------------
linux (2.6.32-42.96) lucid-proposed; urgency=low

  [Luis Henriques]

  * Release Tracking Bug
    - LP: #1036553

  [ Andy Whitcroft ]

  * SAUCE: rds_ib_send() -- prevent local pings triggering BUG_ON()
    - LP: #1016299
    - CVE-2012-2372

  [ Upstream Kernel Changes ]

  * udf: Fortify loading of sparing table
    - LP: #1024497
    - CVE-2012-3400
  * udf: Avoid run away loop when partition table length is corrupted
    - LP: #1024497
    - CVE-2012-3400
  * eCryptfs: Gracefully refuse miscdev file ops on inherited/passed files
    - LP: #994247
  * eCryptfs: Copy up POSIX ACL and read-only flags from lower mount
    - LP: #1009207
  * drm: integer overflow in drm_mode_dirtyfb_ioctl()
    - LP: #917838
    - CVE-2012-0044
 -- Luis Henriques <email address hidden> Tue, 14 Aug 2012 09:51:58 +0100

Changed in linux (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in linux (Ubuntu Natty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers